Thai business owners often hear PDPA (Personal Data Protection Act) and wonder whether Microsoft 365 alone makes them compliant. It does not—compliance is how you configure and govern the tenant, plus policies outside software (privacy notices, consent, vendor contracts). What M365 does provide is a practical control surface: identity, logging, sharing limits, and retention.
This guide is not legal advice. It maps common PDPA-oriented controls to admin center actions Thai SMEs can review with their lawyer or Data Protection Officer. Requirements vary by industry, data types, and whether you process data as controller, processor, or both.
What you are trying to prove
Regulators and enterprise customers typically expect reasonable safeguards for personal data—employee records, customer contacts, patient or student information, and finance KYC files. For a 30–200 person firm, that usually means:
- Knowing where personal data lives (mail, SharePoint, Teams, LINE exports you store elsewhere)
- Limiting who can access and share it
- Being able to investigate incidents (audit logs)
- Retaining and deleting data on a defined schedule—not forever by accident
Microsoft documents platform capabilities; your privacy policy documents what you actually do.
Checklist — identity and access
| Control | Where in M365 | SME starting point |
|---|---|---|
| MFA for all users | Entra ID → Security → MFA | Turn on before scaling users — see MFA guide |
| Separate admin accounts | Entra ID → Roles | No daily work in Global Administrator |
| Block legacy authentication | Entra ID → Security → Conditional Access | Close POP/basic auth gaps after MFA pilot |
| Guest access review | Entra ID → External identities | Quarterly review of B2B guests — Teams guest access |
Checklist — sharing and collaboration
Personal data often leaks through over-sharing, not sophisticated hacks.
| Control | Where in M365 | SME starting point |
|---|---|---|
| Default external sharing | SharePoint admin center → Policies → Sharing | Start restrictive; open per site with owner training |
| "Anyone" links | Same + site-level settings | Disable or short expiry for libraries with HR/finance data |
| Teams guest settings | Teams admin center → Guest access | Align with vendor contract and DPO policy |
| Mailbox forwarding rules | Exchange admin → Remote domains / transport | Block forward-to-personal-mail unless required |
Deep dive: SharePoint permissions.
Checklist — logging and monitoring
PDPA breach response benefits from evidence: who accessed a mailbox, who downloaded a library, who changed sharing.
| Control | Where in M365 | SME starting point |
|---|---|---|
| Unified audit log | Purview compliance portal → Audit | Ensure auditing is on; search sign-in and file events |
| Admin role reviews | Entra ID → Roles and administrators | Quarterly — remove stale Global Admins |
| Alert policies (eligible plans) | Purview → Alert policies | Mass download, impossible travel, privilege escalation |
Default audit retention is limited; longer retention and advanced audit often require higher SKUs. If customers demand 90-day+ forensic history, confirm plan fit on M365 Deals.
Checklist — retention and classification
| Control | Where in M365 | SME starting point |
|---|---|---|
| Retention labels / policies | Purview → Data lifecycle management | HR contracts 7 years; marketing lists shorter — legal sets durations |
| Sensitivity labels | Purview → Information protection | Tag contracts and ID scans; auto-label on Premium/E3+ |
| Recycle bins & litigation hold | SharePoint / Exchange | Know difference between delete and legal hold |
Do not invent retention periods from this article—document them in an internal records schedule approved by counsel.
Checklist — organizational (not a button in M365)
Software cannot replace these PDPA program pieces:
- Privacy notice (Thai language where customers expect it) describing what you collect and why
- Consent or lawful basis for marketing SMS, LINE broadcasts, and HR processing
- Processor agreements when vendors touch personal data on your behalf
- Data subject request process — who receives access/erase requests and within what timeline
- Named DPO or responsible person contactable by data subjects (when required)
Store request logs in a controlled SharePoint library or ticket system—not an individual's LINE thread.
Map: PDPA theme → M365 action
| Theme | Practical M365 lever |
|---|---|
| Security of personal data | MFA, Defender, managed devices (Intune on Premium) |
| Access limitation | Groups-based sites, no broad "Everyone" links |
| Accountability | Audit logs, change reviews, documented admin roles |
| Retention limitation | Retention policies + periodic site cleanup |
| Cross-border transfer | Understand tenant region; review Microsoft's DPA and sub-processors — see security FAQ data location section |
What usually requires Business Premium or higher
| Need | Typical SKU note |
|---|---|
| Intune device policies | Business Premium or Enterprise |
| Advanced DLP | Often E3/E5 or add-ons |
| Extended audit | Higher tiers or add-ons |
| eDiscovery cases | Enterprise compliance SKUs |
A firm on Business Basic can still run MFA, tighten sharing, and enable core audit—then upgrade when customers or sector rules demand more.
30-day rollout order for a busy owner
1. Week 1: MFA + admin account split — security baseline
2. Week 2: External sharing defaults + guest review
3. Week 3: Enable audit searches; assign someone to run a monthly sample review
4. Week 4: Draft retention durations with legal; publish one-page "where HR files go" rule
Run a license audit in parallel—zombie accounts are both a cost and a data-risk problem.
When to bring in a partner
Engage your Microsoft CSP when you need:
- Premium/E5 uplift with written scope (DLP, Intune, extended audit)
- Tenant assessment before a customer security questionnaire
- Migration off personal LINE/USB habits into governed libraries — overlaps with LINE vs Teams
M365 Deals can quote plan upgrades and partner-led hardening workshops—bring your checklist results to the first call.
Copy-paste review agenda (for leadership + legal)
- Which libraries hold ID copies, payroll, or health data?
- Are MFA and guest policies documented?
- Who runs monthly audit spot-checks?
- Where do data subject requests land?
- Is retention defined per data type—not one-size "keep everything"?
Sign-off belongs to your DPO or legal adviser—this guide only lists controls worth discussing.
