Malaysia PDPA 2024 — Expected Changes — What it means for your business

The Personal Data Protection Act 2010, or PDPA, is a legislative act in Malaysia that governs personal data collection, use, and protection. The primary objective of the PDPA is to regulate the processing of personal data in commercial transactions and to ensure that an individual’s personal data is adequately protected. The Act was introduced to bring Malaysia’s data protection standards in line with global norms and to address emerging issues related to the use and processing of personal data. The Act does not apply to government agencies.

The Malaysian Government announced its intention to review and update the PDPA in 2018, and we expect the changes to be rolled out in 2024. The proposed amendments aim to strengthen data protection and cybersecurity in Malaysia, particularly in light of increasing data breach incidents.

These are the five expected changes. Jump to the end to read Foray’s take on the changes.

1. Mandatory Appointment of a Data Protection Officer (DPO)

Businesses will be required to appoint a data protection officer for their organisation. This officer would oversee data protection strategy and implementation to ensure compliance with PDPA requirements. This change emphasises the importance of having a dedicated role within an organisation to manage and protect personal data, providing that data protection is a central consideration in the organisation’s operations.

The Data Protection Officer (DPO) requirement is not unique to Malaysia. Many other countries and legislations also mandate the appointment of a DPO, especially in the context of processing personal data. Here are a few examples:

1. European Union: Under the General Data Protection Regulation (GDPR), organisations must appoint a DPO if they carry out large-scale processing of special categories of data or monitor individuals on a large scale.
2. Philippines: The Data Privacy Act of 2012 requires the appointment of a DPO or a compliance officer for privacy, which ensures the organisation’s compliance with the law.3.Singapore: Under the Personal Data Protection Act 2012, organisations are encouraged to appoint a DPO to oversee the data protection responsibilities within the organisation.

The role best suited to become a Data Protection Officer (DPO) in an organisation can vary depending on the size and nature of the organisation and the complexity of its data processing activities. However, individuals in roles that involve legal, compliance, or information technology responsibilities are often well-suited to take on the DPO role due to their understanding of regulatory requirements and data processing activities. Here are a few roles that could be well-suited to become a DPO:

1. Legal Counsel
2. Compliance Officer
3. IT Manager or Chief Information Officer (CIO),
4. Risk Manager,
5. Privacy Officer.

DPOs should report to C-level positions or even to the board.

2. Making Personally Identifiable Information (PII) Portable

Personally Identifiable Information (PII) refers to any data that can be used to identify a specific individual. In Malaysia’s Personal Data Protection Act (PDPA) context, PII includes your full name, MyKad number, passport number, and email address. People can move their data from one service provider to another because they own it, not just have access. This is very important in fields like healthcare, finance, and e-commerce, where a customer’s past actions and preferences can significantly affect their future interactions and experiences.

Data portability empowers users by allowing them to control their personal information and access and move it between service providers. This protects user privacy and encourages competition among service providers, motivating them to enhance their services and data security procedures. However, data portability is fraught with dangers and difficulties. Data transport can expose it to potential breaches, needing strong security measures. Implementing data portability can be technically challenging since it necessitates the standardisation of data formats across platforms. Data portability is a legal obligation in some jurisdictions, such as the EU’s GDPR, which requires enterprises to provide users with personal data in a “structured, commonly used, and machine-readable format.” Finally, depending on the volume and complexity of the data, data portability can be resource-intensive. Organisations may need to invest in new technologies or processes to ensure secure and efficient data transfer.

Businesses will need to redesign data management systems to facilitate the transfer and extraction of PII and implement straightforward protocols to manage requests for portability, ensuring data integrity and security.

3. Mandatory Data Breach Notification

Organisations will have to tell the authorities (likely PDPC) about any data breaches after this amendment goes into effect. This applies when private data has been compromised, hacked, or shared without authorisation.

It is reasonable to infer that this amendment will require organisations to promptly notify the relevant authorities and possibly the affected individuals following a data breach. This is in line with global trends in data protection legislation, such as the General Data Protection Regulation (GDPR) in the EU and the Personal Data Protection Act (PDPA) in Singapore, which both mandate timely data breach notifications. The purpose of such a requirement is to ensure that appropriate measures are taken promptly to mitigate the breach’s impactand to prevent further unauthorised access or disclosure of personal data. It also upholds transparency and maintains trust between data users and subjects.

Organisations need to develop several capabilities to notify data breaches effectively. Here are some key capabilities:

1. Detection and Identification: The first step in notifying a data breach is being able to detect and identify it. This requires robust cybersecurity systems and protocols to monitor and flag unusual activities. Advanced threat detection tools, intrusion detection systems, and regular security audits are essential.

2. Incident Response Plan: Organizations need a well-defined and rehearsed incident response plan. This plan should outline the steps to be taken immediately after a breach is detected, including the process for notifying the relevant parties.

3. Data Mapping: Understanding where data resides in the organisation’s systems is crucial. This helps quickly identify the data that has been compromised during a breach.

4. Risk Assessment: The ability to assess a breach’s severity and potential impact is essential. This helps prioritise responses and notifications, mainly when multiple breaches co-occur.

5. Communication: Clear and effective communication is critical in the aftermath of a data breach. Organisations must explain what happened, what data was compromised, what they’re doing to mitigate the situation, and what steps individuals should take in response.

6. Legal and Regulatory Knowledge: Understanding the legal and regulatory requirements for data breach notifications in the jurisdictions they operate in is crucial for organisations. This includes knowing who to notify (such as regulatory bodies, affected individuals, or the public), when to tell (the timeframe), and what to include in the notification.

7. Technical Expertise: Finally, organisations need the technical expertise to fix the vulnerability that led to the breach, recover lost data if possible, and strengthen their systems to prevent future breaches.

4. Extension of the Security Principle to Data Processors

A data processor is defined as an individual or entity tasked with handling personal data at the directive of a data controller. This role involves multiple facets of data management, including but not limited to its acquisition, storage, retrieval, utilisation, transmission, and eventual deletion or archival. Under the proposed amendments to the PDPA, data processors will be required to comply with the security principle under the PDPA. This means they must take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. This includes ensuring that the data they process is securely stored and that appropriate security measures are in place to protect the data.

Likely Obligations of Data Processors:

Should Malaysia’s PDPA follow the framework of the General Data Protection Regulation (GDPR), the following primary obligations would be as such:

• Security Measures: Data processors must institute technical and organisational safeguards tailored to ensure the protection and integrity of personal data.
• Compliance with Controller’s Directives: All activities related to personal data must be executed in strict alignment with the data controller’s guidelines and objectives.
• Support in Data Subject Requests: Data processors are obligated to assist data controllers in meeting the demands and requests of data subjects. This may encompass providing access to data, rectifying inaccuracies, or facilitating data deletion.
• Breach Notification: In scenarios where data breaches occur, data processors are responsible for promptly notifying both the data controller and the respective supervisory authority, ensuring timely action and mitigation.

5. Cross-Border Data Transfers and the “Black-list”

Previously, the Minister would choose countries where data could be sent based on their data protection laws. This would make sure that personal data transmitted from Malaysia is adequately protected. The proposed amendment would replace the Minister’s ability to issue a whitelist with the ability to create a blacklist. This blacklist will include countries to which personal data transfers will be prohibited. These are countries that, according to Malaysian authorities, do not have adequate data protection measures in place.

The process of determining which countries to include on the blacklist would almost certainly involve a thorough examination of various countries’ data protection laws and practices. This could include evaluating the existing legal frameworks, the enforcement of data protection laws, and the rights and remedies available to individuals in those countries. The Minister would make the final decision on which countries to include on the blacklist, most likely with the help of the Personal Data Protection Department (PDPD) and other experts.

Foray’s take on the possible changes

We welcome the potential updates aimed at enhancing the protection of personal data. Implementing Mandatory Breach Notification, when effectively enforced, will compel organisations to revamp their data protection strategies and implement necessary upgrades. This shift will likely reveal many breaches, reminding all, including those not yet affected, of the crucial need for robust data protection capabilities. The Data Protection Officer (DPO) role will make this a reality.

We advocate for eliminating exemptions currently extended to government bodies and agencies. Given the vast amounts of personal data they handle, they must also adhere to these enhanced protection standards.