Menu
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ...
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.
On 4 July 2024, Minister of Digital, Gobind Singh Deo, announced that the Cabinet has approved the proposed amendments to the Personal Data Protection Act 2010 (“PDPA 2010”), and they are expected to be tabled in the current parliamentary session. The Second Meeting of the Third Session of the 15th Parliament will convene from 24 June 2024 to 18 July 2024.
It is noteworthy that the key proposed amendments to the PDPA 2010 are influenced by the provisions of the European Union General Data Protection Regulations (“EU GDPR”). Hence, upon coming into effect, these proposals would significantly affect Malaysian organisations and how they handle data processing. Some of the key proposals highlighted by Gobind for amending the PDPA 2010 include:
a) Mandatory notification of personal data breaches;
b) Additional compliance responsibilities for data processors; and
c) The appointment of Data Protection Officers (“DPO”).
Mandatory Data Breach Notification
Earlier this year, Gobind announced that the Notification of Data Breach Guideline is among seven guidelines that will be developed by the Department of Personal Data Protection through the Personal Data Protection Commissioner and a company under the Ministry of Finance, namely Futurise Sdn Bhd. Comprehensive guidelines are crucial for an effective data breach notification regime. It is expected that the Notification of Data Breach Guideline would assist organisations in navigating the circumstances where mandatory reporting must be done, setting out, among others, a data breach preparation and response plan, and practical mitigation tips.
Additional Duties for Data Processors
Under the EU GDPR, data processors have a duty to, among others, implement appropriate security measures and demonstrate compliance with requirements imposed by data supervisory authorities. As the PDPA 2010 currently stands, a data user engaging a data processor is required to procure sufficient guarantees from the data processor in respect of technical and organisational security measures governing the processing to be carried out and to take reasonable steps to ensure compliance with those measures.
This is carried out by imposing obligations on data processors via a data processing agreement. Upon the amended PDPA 2010 being implemented, data processors may also be made liable for data breaches and will no longer be bound merely by the four corners of the data processing agreement.
Data Protection Officers
The EU GDPR requires a DPO to be appointed by data controllers and processors where certain thresholds are met. The duties of a DPO under the EU GDPR include working towards compliance with all relevant data protection laws, monitoring specific processes such as data protection impact assessments, raising awareness and training employees on data protection, as well as collaborating with supervisory authorities.
Currently, the PDPA 2010 does not mandate the appointment of a DPO. However, once this requirement is imposed by the amended PDPA, organisations that are not prepared may face practical issues, including the availability of expertise in the area and cost implications. It was also announced earlier this year that the Data Protection Officers Guidelines are among the seven guidelines that will be developed under the PDPA.
Conclusion
With the anticipated amendments to the PDPA 2010 scheduled for presentation by July 2024, it is crucial for organisations to initiate proactive preparations to ensure they can effectively implement the necessary operational measures. This includes reviewing existing data protection practices, assessing potential impacts of the amendments on current operations, and planning appropriate adjustments to policies and procedures. By taking these steps ahead of time, organisations can better navigate and comply with the forthcoming regulatory changes, thereby safeguarding data privacy and enhancing overall compliance efforts.
If you have any queries, please contact CDP Lawyer, Arissa Ahrom (aa@lh-ag.com).
Learn more about our partners who specialize in this area