IT Security, Cybersecurity, and Personal Data Protection
Goal and Performance Highlights
Performance
Goal
Challenges and Opportunities
In the digital era where technology plays an increasingly vital role in business operations, Central Pattana Public Company Limited must contend with continuously evolving cyber threats. This requires ongoing surveillance, enhancement, and reinforcement of security measures. Moreover, compliance with data protection laws, such as the Personal Data Protection Act B.E. 2562 (PDPA), presents an ongoing challenge due to the complexity of the regulatory requirements and the need for strict legal adherence.
Beyond cybersecurity, the company is also tasked with managing vast volumes of data from various sources—particularly customer data—which must be protected in accordance with international standards to ensure the highest level of information security. Nevertheless, Central Pattana sees this as an opportunity to build stronger trust among customers through robust data protection practices. Effective data protection not only strengthens brand loyalty and trust but also reduces the risk of financial losses from data breaches and enhances the company's competitive advantage and corporate reputation.
Furthermore, the integration of advanced digital technology with stringent security protocols significantly improves operational efficiency.
Investing in secure technologies also drives innovation and business growth—factors that are instrumental in laying the foundation for long-term organizational sustainability.
Management Approach and Value Creation
Central Pattana Public Company Limited places utmost importance on information security, cybersecurity, and personal data protection as a means of building stakeholder trust—including customers, partners, shareholders, and all related parties. The company is committed to aligning its operations with international standards and strictly complying with relevant laws and regulations.
Cybersecurity and personal data protection have been defined as critical organizational risk indicators. The company monitors and reports performance in these areas regularly to the Board of Directors to strengthen risk management on an ongoing basis. Additionally, an IT Security team has been established under the leadership of the Central Group's Chief Information Security Officer (CISO), who plays a key role in setting cybersecurity strategies and coordinating with both internal and external stakeholders. The company also prioritizes the appointment of board members with expertise in information technology to enhance the Board’s oversight capabilities in a rapidly evolving digital landscape.
- Oversee the availability of information systems, both hardware and software
- Manage data center security systems, including physical disaster prevention systems in case of emergencies
- Coordinate with the Risk Management Unit for annual emergency response drills simulating system failure scenarios
- Serve as an equivalent to a Security Operations Center (SOC)
- Monitor threats and inspect access to the organization’s network and information systems
- Respond swiftly to threats or abnormal events, conduct incident analysis, and implement preventive measures to minimize business impact
- Conduct monthly vulnerability assessments and promptly patch high-risk vulnerabilities
- Compile incident reports and mitigation measures to report to Central Group’s Chief Information Security Officer (CISO)
- Define information security policies, standards, and implementation practices for software system development across the organization, along with training programs to build employee awareness and understanding
- Ensure information security in accordance with the organization’s risk profile, based on CIA principles: Confidentiality, Integrity, and Availability — including personal data protection (PDPA), and criteria for selecting system developers and software vendors
- Ensure cybersecurity compliance with legal obligations and international standards such as the NIST Cybersecurity Framework (NIST-CSF) and Center for Internet Security Controls (CIS)
- Collaborate closely with Central Group’s Data Protection Officer (DPO)
- Incorporate cybersecurity as a key organizational risk
- Coordinate business continuity testing in case of information system failures
- Perform random audits related to: (1) Program access control (2) Data confidentiality (3) Data integrity in systems
Cybersecurity Management Standards and Guidelines
The Company places high importance on protecting personal data, covering all customer touchpoints including retail stores, websites, mobile applications, customer service centers, online communication channels, and other locations where stakeholders’ personal data may be collected.
High importance on protecting personal data.
In collaboration with Central Group, the Company established a Data Protection Unit and appointed a Data Protection Officer (DPO) responsible for ensuring compliance with the Personal Data Protection Act B.E. 2562 (PDPA). Regular information exchange and preventive discussions among business units take place to safeguard against data breaches. The Company publicly discloses its Privacy Policy on both its website and at customer service areas within shopping centers and other data collection points. Additionally, a management manual is in place to guide the use of personal data in all operational steps in alignment with relevant laws, regulations, and internal privacy policies. These policies are communicated clearly to employees through the CPN-Personal Data Protection Act (PDPA 2019) and CRC-Personal Data Protection Act e-learning courses. Key data governance practices include maintaining a Record of Processing Activities, developing Consent Management systems, implementing Data Subject Rights Management procedures, defining Data Retention Policies, preparing necessary legal documentation (e.g., Data Processing Agreements), and establishing a clear Personal Data Breach Procedure.
To further strengthen accountability, the Company provides data subjects with multiple complaint channels, including an online complaint platform on the corporate website and the Customer Information Center at +66 (0) 2-667-5555. All complaints are reviewed by the Internal Audit Unit, reported to the Audit and Corporate Governance Committee, and forwarded to the responsible units for resolution. If an internal breach is confirmed, the Company will provide appropriate redress or compensation.
Personal Data Protection and Legal Compliance
Protecting personal data is a key responsibility of Central Pattana Public Company Limited. The Company strictly complies with the Personal Data Protection Act B.E. 2562 (PDPA) through a clearly defined Privacy Policy and obtains consent prior to the collection, use, or disclosure of personal data. A comprehensive Data Governance Framework has been established to monitor, control, and protect customer data efficiently, supported by a Data Breach Response Plan that enables rapid incident resolution.
Developing a Data Governance Framework to effectively track, control, and protect customer information.
Cultivating a Cybersecurity Culture
To maximize the effectiveness of cybersecurity operations, the Company promotes a strong Cybersecurity Culture through the following key measures: Cyber Awareness Training for all employees to enhance awareness and reduce risks arising from unsafe behaviors. Regular Cybersecurity Incident Response Drills to ensure preparedness and effective problem resolution. And a dynamic Risk Management Strategy that evolves with emerging cybersecurity threats.
Fostering a cybersecurity culture within the organization.
Cyber Risk Management and Cyber Insurance
Acknowledging the potential business impact of cyber threats, the Company has adopted Cyber Insurance to mitigate unexpected losses. It also enforces rigorous Third-Party Risk Assessments to ensure that business partners with access to Company data adhere to adequate security standards.
Conducting rigorous third-party risk assessments.
Executive Oversight and Governance
Cybersecurity and data protection are governed at the highest levels of the organization. These areas are identified as key organizational risks and are regularly monitored and reported to the Board of Directors. The IT Security Team, led by the Central Group’s Chief Information Security Officer (CISO), is responsible for developing cybersecurity strategies and collaborating with both internal and external stakeholders. The Company also promotes the appointment of Board members with expertise in information technology to ensure effective governance in today’s dynamic digital landscape.
Driving cybersecurity strategies for maximum effectiveness.
Commitment to Sustainable Cybersecurity
Central Pattana Public Company Limited believes that robust cybersecurity and data protection not only mitigate business risks but also serve as critical strategies for building trust with customers and stakeholders. The Company is committed to continuously enhancing cybersecurity standards in alignment with global trends to ensure long-term sustainable growth in the digital age.
Committed to advancing and elevating cybersecurity standards
Stakeholders Directly Impacted
Tenants and Lessees (Retail and Offices) and Residential Customers
Employees
Customers
Suppliers and business partners
Communities / Community representatives including regulators and government bodies, academia and independent organizations
Shareholders
