Legal provisions are often abstract, but when implemented at the Information Technology (IT) system level, they must be translated into concrete parameters and settings. With the announcement of the draft “Regulations on Security Maintenance and Management of Personal Data Files” (hereinafter referred to as the Draft), personal data protection is no longer solely the responsibility of the legal department; the IT department shoulders the heavy responsibility of technical compliance on the front line.
Many corporate IT managers often ask: “Exactly how long do logs need to be kept?” or “If the data is deleted, why do we still need to keep a record?” Based on the technical regulations in Articles 12 to 15 and Article 23 of the Draft, this article analyzes the compliance indicators that IT departments must master.
1. Digital Footprint: Retention and Duration of System Logs
When a personal data leak or theft occurs, system logs are the only evidence of the “crime scene.” Article 13 of the Draft requires that the information and communication systems of all enterprises must possess the capability to record specific events.
- What to Record? It is mandatory to record the functions executed by administrator accounts of the information and communication system, as well as specific system events (such as user login/logout, data access, modification, deletion, permission changes, etc.).
- How Long to Keep?
- General Non-Government Agencies: Article 13 of the Draft only requires “establishing an appropriate retention period,” giving enterprises flexibility based on risk.
- Large Non-Government Agencies: Article 23 of the Draft clearly draws a red line: logs must be preserved for “at least 6 months.”
Although general enterprises are not mandated to follow the 6-month rule, considering that the dwell time of personal data incidents often lasts for weeks or even months, our firm suggests that general enterprises refer to the standards for large enterprises and set the log retention period to 6 months or more. This is to avoid being unable to clarify liability due to lack of evidence and consequently being deemed by the competent authority as failing to fulfill custodial obligations.
2. The Art of Deletion: Not Just Destruction, But Retention of Records
After the termination of business (such as client contract termination, project completion), how should personal data be handled? Article 15 of the Draft proposes strict procedural requirements:
- Standard for Destruction: Appropriate deletion measures must be taken to render the data “irrecoverable” (e.g., physical destruction or digital wiping).
- The Crucial 5 Years: The most easily overlooked point is that after deleting data, a “Deletion Record” (including method, time, and location of deletion) must be retained, and this record must be kept for at least 5 years.
In other words, to prove “we do not hold the data,” the enterprise must hold a document proving “I have already deleted the data” for 5 years. This is to ensure that if a dispute arises in the future (e.g., a client complains 3 years later that their data was misused), the enterprise can produce evidence proving the data was destroyed long ago and misuse was impossible.
3. Permissions and Backups: Least Privilege and Encryption Protection
Regarding system access and backups, Articles 12 and 14 of the Draft establish clear technical thresholds:
- Principle of Least Privilege: User permissions should be limited to business needs, and accounts should be reviewed periodically to remove dormant accounts or those of departed personnel.
- Strong Password Policy: It is mandatory to require users to set passwords that meet complexity requirements and to change them periodically.
- Backup Encryption: Backups must not become a security vulnerability. The Draft requires that appropriate protection measures (e.g., encryption) be taken for backup data, and its availability must be ensured (e.g., conducting periodic restoration drills).
Although recent international cybersecurity trends (such as NIST guidelines) tend to move away from forcing users to change passwords periodically to avoid user fatigue or weak passwords, according to the legislative explanation of the current Draft, “periodic changes” are still listed as necessary control measures. Until the regulations are amended, it is recommended that enterprises continue to require users to change passwords periodically in accordance with the law to ensure compliance.
4. Before System Launch: Source Code Review and Penetration Testing
If an enterprise belongs to a “Large Non-Government Agency” and its information system provides external services (such as Web, App), Article 23 of the Draft adds higher-intensity development security norms:
- Before Launch: Source code reviews, vulnerability scans, and penetration tests must be conducted, and the system can only go live after vulnerabilities are patched.
- After Launch: The aforementioned tests must continue to be conducted.
In other words, the DevOps process must forcibly incorporate security testing (SecDevOps); security cannot be sacrificed for the sake of a quick launch. For general enterprises, although not legally mandatory, if the system involves a large amount of personal data, this remains the best practice to prove that “appropriate security maintenance measures” have been taken.
5. Recommendation: Dialogue Between IT and Legal
Compliance with the new PDPA can no longer be achieved by the legal department working in isolation; it requires deep collaboration with the IT department. We recommend enterprises take the following actions:
- Inventory Log Policies: Check the log settings of existing systems (including on-premise servers and cloud services). Do they contain sufficient fields? Is the retention period sufficient?
- Establish Deletion SOPs: Design a standardized “Data Destruction Record Form” to ensure that after IT personnel execute deletion commands, written or digital records are archived.
- Budget Allocation: If the enterprise falls under the category of a Large Non-Government Agency, it is recommended to allocate a budget for annual vulnerability scans and penetration tests.
Our firm possesses extensive experience in corporate personal data legal affairs and compliance implementation. If your company has any questions regarding system compliance reviews, formulation of retention policies, or review of cybersecurity procurement contracts, please feel free to contact us at any time. Our team of professional lawyers will provide you with precise legal analysis and solutions.
Special Note: The draft subsidiary regulations mentioned in this article (such as the Regulations on Security Maintenance, etc.) are pre-announcement versions released by the Preparatory Office of the Personal Data Protection Commission between January and February 2026. As of the time of writing, they are in the public comment phase, and the official provisions may be further adjusted based on feedback from various sectors. Readers are advised to stay updated on the latest regulatory developments.
