Security of Personal Data Processing Under Cambodia's Draft Personal Data Protection Law

Cambodia's data protection landscape is evolving rapidly to align with international standards. Article 20 of the Draft Law, expected to take effect within two years of promulgation, introduces security obligations comparable to those found in the EU's GDPR and emerging Asian data protection frameworks. The provision reflects Cambodia's commitment to building trust in its digital economy while protecting the fundamental rights of data subjects.

The security mandate applies equally to data controllers (entities determining the purposes and means of processing) and data processors (entities processing data on behalf of controllers). This dual responsibility ensures comprehensive protection across the entire data processing ecosystem.

Article 20 requires organizations to implement measures preventing:

• Unauthorized access, collection, use, disclosure, copying, modification, or destruction of personal data
• Loss of any storage medium or device containing personal data
• Other potential risks arising from data processing activities

These obligations are not merely aspirational—they require demonstrable implementation of specific safeguards tailored to the organization's processing activities.

Before implementing security measures, organizations must conduct a comprehensive assessment evaluating four critical factors:

1. Impact on data subject rights and freedoms: Organizations must evaluate how potential security failures could affect individuals' fundamental rights. Higher-risk processing activities demand more robust protections.

2. Processing characteristics: The assessment must consider the type of personal data (with heightened scrutiny for sensitive data as defined in Article 14), the scope of processing operations, the context in which processing occurs, and the specific purposes pursued.

3. State-of-the-art technology: Security measures must reflect current technological capabilities. Organizations cannot rely on outdated protections when more effective solutions exist.

4. Cost considerations: While costs may be considered, they cannot justify inadequate security where significant risks exist. The assessment must balance implementation expenses against the circumstances and severity of potential risks.

Following risk assessment, Article 20 requires implementation of appropriate measures, specifically:

• Pseudonymization and encryption: Where necessary based on risk levels, organizations must deploy these techniques to render personal data unintelligible to unauthorized parties.
• System resilience: Organizations must ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. This encompasses both technological infrastructure and human processes.
• Recovery capabilities: Systems must enable timely restoration of data access and availability following physical or technical incidents.
• Continuous evaluation: Organizations must regularly test, assess, and evaluate their security measures' effectiveness, adapting to evolving threats and technological developments.

Organizations operating in or targeting Cambodia should take immediate steps to prepare for compliance:

• Conduct comprehensive security audits: Map all personal data processing activities under Article 18 and assess current security postures against Article 20's requirements.
• Develop risk assessment methodologies: Establish frameworks for evaluating the four mandatory assessment factors, ensuring consistency across business operations.
• Invest in technical infrastructure: Prioritize encryption and pseudonymization capabilities, particularly for sensitive personal data processing.
• Document security measures: Maintain detailed records demonstrating compliance with Article 20, as data controllers bear the burden of proving adequate security under Article 6.
• Establish governance structures: Designate responsibility for security oversight and create protocols for regular testing and evaluation.
• Consider cross-border implications: Organizations with regional operations should align Cambodian security measures with requirements under GDPR, ISO and other applicable frameworks.

The Ministry of Post and Telecommunications will provide detailed guidance through Common Guidelines on Personal Data Protection (Article 37), which will clarify specific technical standards and organizational practices. Organizations should monitor these developments closely and engage in consultations where possible.

As Cambodia's enforcement capabilities mature, organizations demonstrating proactive compliance with Article 20 will be better positioned to avoid administrative fines (up to 600 million Riels or 10% of annual turnover) while building consumer trust in an increasingly privacy-conscious market.