Cybersecurity and Personal Data Protection
Supporting the SDGs Goals
Goals and Performance Highlights
material personal data breaches involving customers or employees that resulted in regulatory enforcement actions during the reporting period
substantiated personal data breach incidents to be investigated and remediated within defined timelines
Continued promotion of awareness and communication on personal data protection and cybersecurity through internal engagement and practices across the organization
0 cases of substantiated complaints regarding breaches of customer privacy, as follows:
Stakeholders Directly Impacted
Customers
Employees
Shareholders
Government Agencies
Commitment, Challenges, and Opportunities
MR. D.I.Y. places importance on strengthening cybersecurity measures and personal data protection
to support secure, transparent, and compliant business operations in the digital era in line with the Personal Data Protection Act B.E. 2562 (PDPA). The Company has established policies and data management practices to help prevent data leakage, unauthorized access, and technology-related risks, while supporting responsible data management and strengthening the confidence of customers and stakeholders.
At the same time, the Company recognizes the ongoing challenges posed by evolving cyber threats. The Company therefore places importance on continuous monitoring, strengthening security measures, and promoting employee awareness on a regular basis. These measures not only help reduce business risks, but also strengthen the Company’s readiness to respond to cyber risks and support sustainable business operations in the digital era.
Management Approach and Value Creation
Governance Structure
MR. D.I.Y. manages cybersecurity in a systematic manner under the oversight of the Audit and Risk Management Committee, which is responsible for supervising and monitoring cyber risks at the enterprise level. At the same time, the Chief Executive Officer (CEO), the Information Technology Department, and the Data Protection Officer (DPO) are responsible for implementing policies and data security measures to help prevent and mitigate risks posed by cyber threats on an ongoing basis.
Audit and Risk Management Committee
- Reviews and assesses the impacts of the Company’s cyber risks
Chief Executive Officer
- Sets the overall strategic direction and corporate-level policies, and monitors implementation progress
Information Technology Department
- Provides guidance and implements information security measures
- Regularly reviews and assesses compliance with internal information security requirements
Data Protection Officer
- Provides advice, oversight, and follow-up on personal data management to ensure compliance with applicable laws
- Reports personal data protection performance to the CEO on a regular basis
Cybersecurity Management Process
1. Information Technology Security Measures
MR. D.I.Y. has integrated cybersecurity risk management into its Enterprise Risk Management (ERM) process to support the systematic identification, assessment, and monitoring of risks that may affect business operations.
The Company has set out information technology security policies and practices, together with Standard Operating Procedures (SOPs), to provide a framework for overseeing and managing the security of its information systems in a structured and effective manner. Key measures include the following:
Access Control
The Company requires user authentication prior to accessing information systems. Access rights to systems and data are assigned based on roles and operational necessity, in line with the principle of least privilege.
Physical and Environmental Security
The Company limits access to areas related to information systems and critical infrastructure to authorized personnel only. Measures are also put in place to help manage risks arising from environmental factors, such as fire or power outages.
IT Operational Security
The Company oversees the use of information systems to ensure alignment with business purposes, with appropriate monitoring and review to help reduce risks arising from the inappropriate use of systems or data.
Incident Management
The Company has implemented processes for reporting and managing information security incidents to enable timely investigation, analysis, and remediation. Incidents are also reviewed to support the continuous improvement of control measures.
IT Asset Management
The Company requires the identification and appropriate maintenance of key information technology assets to help ensure that systems and equipment remain operational and continue to support business operations.
2. Information Security Management for Technology Business Partners
MR. D.I.Y. has set out an approach for overseeing the information security of data and information systems relating to business partners, service providers, and external parties that are granted access to the Company’s systems or data, in order to help mitigate risks that may affect information security and business operations. Key measures include:
Personal Data Protection
MR. D.I.Y. recognizes the importance of personal data protection and has set out policies and security measures to help ensure that data is managed appropriately in accordance with the Personal Data Protection Act B.E. 2562 (PDPA) and other applicable laws. The Company also oversees the implementation of personal data protection practices across all employee levels to help prevent risks arising from unauthorized access, use, or disclosure of personal data.
The Company has published its Personal Data Protection Policy on its corporate website to enable stakeholders to access relevant information transparently and better understand their rights regarding personal data protection.
The Policy covers key areas such as the governance structure for personal data protection, data processing and data security management, the exercise of data subject rights, and the regular monitoring and review of compliance requirements. This helps support personal data management in a transparent, secure, and appropriate manner. Key approaches include:
In addition, the Company provides channels for submitting complaints, making enquiries, or exercising rights in relation to personal data in order to support transparent and accountable personal data management. Stakeholders may contact the Data Protection Officer (DPO) at:
Data Protection Officer (DPO)
Building a Culture of Cybersecurity and Personal Data Protection
To support the effective implementation of the Company’s cybersecurity and personal data protection practices, MR. D.I.Y. places importance on raising awareness and fostering a culture of data security across the organization. This helps employees and relevant personnel understand and apply data security measures appropriately and on an ongoing basis. Key initiatives include:
Cyber Awareness Training
The Information Technology Department prepares infographics and awareness materials on cybersecurity and shares them with employees monthly. These communications are intended to help employees understand potential cyber threats, appropriate preventive measures, and good practices for using the Company’s information systems.
Personal Data Protection Awareness Training
The Company regularly communicates and shares knowledge on personal data protection with employees through the “PDPA Alert” initiative. This serves as an awareness channel, providing monthly information and practical guidance on personal data management to strengthen understanding of PDPA requirements and the risks associated with the inappropriate use or disclosure of personal data.
Cybersecurity Incident Response Drill
The Company requires a cybersecurity incident response drill to be conducted at least once a year to support the readiness of relevant functions to respond to and manage incidents that may affect the Company’s information systems and data. These drills are designed to help personnel understand response procedures and respond appropriately and in a timely manner.
