One of the key updates in the recent amendments is the mandatory requirement for your organization to appoint a Data Protection Officer (DPO).
For smaller businesses, hiring a full-time DPO might seem financially daunting. However, there’s a practical alternative—engaging an external DPO, which can help you meet the requirements without the burden of a full-time hire.
Before exploring this option, let’s take a closer look at what the PDPA entails and the latest amendments you need to know.
What Is the PDPA?
The Personal Data Protection Act 2010 (PDPA) is Malaysia’s law that regulates how personal data is used in business. Its goals are to:
a) Protect personal data during commercial activities,
b) Ensure organizations handle personal data responsibly, and
c) Prevent misuse of personal information.
Malaysia has recently updated its data protection laws to align with global standards, including those in the European Union and ASEAN. The Personal Data Protection (Amendment) Act 2024 will come into effect in gradual stages on 1st January 2025, 1st April 2025, and 1st June 2025, introducing significant changes aimed at enhancing the protection of personal information in today’s digital economy. Below is a simplified breakdown of the key updates and their implications for businesses.
Key Updates Under the New Law
1. Replacing “Data User” with “Data Controller
The term “data user” has been replaced with “data controller” to match international terminology. While the title has changed, the definition remains the same: a person or entity that controls and processes personal data.
2. Accountability for Data Processors
Previously, only data controllers were directly responsible for complying with security measures. Now, data processors—third parties processing data on behalf of controllers—must also adhere to security standards and can face penalties for breaches.
3. Mandatory Data Breach Notifications
If a personal data breach occurs, data controllers must report it to the relevant authorities. If the breach poses significant harm to individuals, affected parties must also be informed. Non-compliance with these requirements may result in penalties of up to RM250,000 or a two-year prison term.
4. Biometric Data as Sensitive Information
Biometric data (e.g., fingerprints, facial recognition) is now classified as sensitive personal information, requiring stricter handling measures. Businesses collecting such data must implement robust protocols to protect it.
5. Mandatory Appointment of a Data Protection Officer (DPO)
Organizations must now appoint a Data Protection Officer (DPO) to oversee compliance with the law. This role is particularly crucial for businesses handling large-scale data processing. While detailed guidelines are pending, businesses can consider appointing either an internal or external DPO.
6. Right to Data Portability
Individuals can now request their personal data to be transferred between organizations in a secure and standardized format. Controllers must respond to such requests within 21 days, ensuring the data is safely transmitted.
7. Cross-Border Data Transfers
Cross-border transfers of personal data are now permitted if the destination country offers equivalent levels of protection. Businesses must ensure proper safeguards are in place when transferring data internationally.
8. Increased Penalties
Penalties for non-compliance have been significantly raised. Fines can now reach RM1 million, and prison terms extend up to three years for serious breaches.
Preparing Your Business for Compliance
To navigate these new obligations, businesses should:
a) Review and update policies to align with the new requirements.
b) Train employees and partners on proper data protection practices.
c) Appoint a DPO (internal or external) to manage compliance efforts.
d) Ensure robust security measures are in place to safeguard personal data.
e) Establish clear procedures for handling data breaches and responding to data portability requests.
Why Compliance Matters
While Data Protection Laws are commonly associated with safeguarding against external threats like cybersecurity breaches, it is equally important to remain vigilant about internal risks. Customer data, if inadequately protected, can be misused or stolen by disgruntled employees. Implementing robust policies and procedures is essential to mitigating these risks and ensuring the security of sensitive information.
The recent updates emphasize the importance of safeguarding personal data not only to avoid penalties but also to build trust with customers and stakeholders. Adapting to these changes is a step towards demonstrating accountability and fostering confidence in your organization’s data handling practices.
By proactively addressing these requirements, businesses can mitigate risks, enhance their reputation, and ensure smooth operations in an increasingly data-driven world.
How We Can Help
With the new requirement to appoint a Data Protection Officer (DPO), some organizations may worry about the costs of hiring someone full-time to handle data protection tasks.
Do not worry!
The Personal Data Protection Commissioner’s Office has suggested in its public consultation papers that hiring an external DPO is allowed. An external DPO allows you to comply with the law without the added expense of hiring a full-time employee, offering a practical and cost-effective solution to meet your legal obligations.
A DPO’s role isn’t just about understanding the law—they ensure your organization handles personal data responsibly and stays compliant. Key responsibilities include:
a) Making sure your business follows the PDPA and related laws.
b) Creating and putting in place policies to protect personal data.
c) Reporting any data breaches to the authorities and those affected.
d) Training your staff on data protection and privacy practices.
e) Acting as your organization’s main point of contact with the authorities.
If you’re thinking about bringing in an external DPO, we’re here to help. Feel free to reach out to us at general@rajahchambers.com.
Our Suren Rajah holds the Certified Information Privacy Manager (CIPM) credential, a globally recognized certification issued by the International Association of Privacy Professionals (IAPP). We currently serve as an external DPO for several clients, helping them navigate their data protection responsibilities and obligations.
Comments