On 4 July 2024, Minister of Digital, Gobind Singh Deo, announced that the Cabinet has approved the proposed amendments to the Personal Data Protection Act 2010 (“PDPA 2010”), and they are expected to be tabled in the current parliamentary session. The Second Meeting of the Third Session of the 15th Parliament will convene from 24 June 2024 to 18 July 2024.
It is noteworthy that the key proposed amendments to the PDPA 2010 are influenced by the provisions of the European Union General Data Protection Regulations (“EU GDPR”). Hence, upon coming into effect, these proposals would significantly affect Malaysian organisations and how they handle data processing. Some of the key proposals highlighted by Gobind for amending the PDPA 2010 include:
a) Mandatory notification of personal data breaches;
b) Additional compliance responsibilities for data processors; and
c) The appointment of Data Protection Officers (“DPO”).
Mandatory Data Breach Notification
Earlier this year, Gobind announced that the Notification of Data Breach Guideline is among seven guidelines that will be developed by the Department of Personal Data Protection through the Personal Data Protection Commissioner and a company under the Ministry of Finance, namely Futurise Sdn Bhd. Comprehensive guidelines are crucial for an effective data breach notification regime. It is expected that the Notification of Data Breach Guideline would assist organisations in navigating the circumstances where mandatory reporting must be done, setting out, among others, a data breach preparation and response plan, and practical mitigation tips.
Additional Duties for Data Processors
Under the EU GDPR, data processors have a duty to, among others, implement appropriate security measures and demonstrate compliance with requirements imposed by data supervisory authorities. As the PDPA 2010 currently stands, a data user engaging a data processor is required to procure sufficient guarantees from the data processor in respect of technical and organisational security measures governing the processing to be carried out and to take reasonable steps to ensure compliance with those measures.
This is carried out by imposing obligations on data processors via a data processing agreement. Upon the amended PDPA 2010 being implemented, data processors may also be made liable for data breaches and will no longer be bound merely by the four corners of the data processing agreement.
Data Protection Officers
The EU GDPR requires a DPO to be appointed by data controllers and processors where certain thresholds are met. The duties of a DPO under the EU GDPR include working towards compliance with all relevant data protection laws, monitoring specific processes such as data protection impact assessments, raising awareness and training employees on data protection, as well as collaborating with supervisory authorities.
Currently, the PDPA 2010 does not mandate the appointment of a DPO. However, once this requirement is imposed by the amended PDPA, organisations that are not prepared may face practical issues, including the availability of expertise in the area and cost implications. It was also announced earlier this year that the Data Protection Officers Guidelines are among the seven guidelines that will be developed under the PDPA.
Conclusion
With the anticipated amendments to the PDPA 2010 scheduled for presentation by July 2024, it is crucial for organisations to initiate proactive preparations to ensure they can effectively implement the necessary operational measures. This includes reviewing existing data protection practices, assessing potential impacts of the amendments on current operations, and planning appropriate adjustments to policies and procedures. By taking these steps ahead of time, organisations can better navigate and comply with the forthcoming regulatory changes, thereby safeguarding data privacy and enhancing overall compliance efforts.
If you have any queries, please contact CDP Lawyer, Arissa Ahrom ([email protected]).