By Benjamin Shepherdson, Regional Consultant, Straits Interactive
Last July, Malaysia passed the Personal Data Protection (Amendment) Act 2024 (PDPA Amendment), introducing changes to the Personal Data Protection Act (PDPA) 2010 of Malaysia, which has been the longstanding legal framework for regulating the processing of personal data in commercial transactions. As one of Southeast Asia's pioneering data protection laws, the Malaysia PDPA has set a benchmark for regional standards. With new amendments introduced, the country is now seeking to align its approach closely with international data protection regimes and instill a greater sense of accountability in handling personal data.
Following the ancillary provisions that have already taken effect in the first phase on 1 January 2025, the remaining provisions of the 2024 Act are set to come into force in two more phases on 1 April 2025 and 1 June 2025, entailing key changes and new obligations on Data Controllers and Data Processors.
Here are the notable amendments we're running up to:
Where the first phase outlined procedural modifications – such as permitting electronic service of notices and documents and ensuring that ongoing proceedings before 1 January 2025 adhere to the original PDPA 2010 provisions – the second and third phases usher in impactful reforms that form the core of Malaysia’s response to growing digitalisation, data breaches and cyberthreats.
To ensure compliance with the new requirements, entities handling personal data in Malaysia such as Data Controllers (i.e. organisations) and Data Processors should review and update their data protection policies and practices.
Increased Precautions in Handling Biometric Data
With the expanded definition of "sensitive personal data" that now includes biometric information, Data Controllers handling such data must implement stricter measures to secure it. This might require updates to one’s data handling and storage procedures, such as appropriate encryption and consideration of Privacy Enhancing Technologies (PETs) - or, in some cases, biometric PETs (B-PETs) - that could help one meet data protection requirements.
Supporting Data Portability for Data Subjects
Now that Data Portability has been added to the rights of Data Subjects, it allows individuals to transfer their data between Data Controllers. As such, Data Controllers will need to ensure their systems can support these requests, which may involve significant technical adjustments.
Raised Stakes to Comply With the PDPA
New obligations on Data Processors to comply with the Security Principle and increased penalties for non-compliance with the PDPA Amendment 2024 heightens the import of adhering to data protection principles by Data Controllers. Especially when Data Processors will be subject to penalties for data breaches. Data Controllers should be ready to update their practices with regards to how the Data Processors carry out their duties and obligations in compliance with the requirements introduced by the Act. Data Processors are required to take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
Need a refresher on the seven principles of the Malaysia PDPA? Here’s a quick memory jog.
More Due Diligence for Cross-Border Data Transfers
While the removal of the white-list regime in Section 129 of the PDPA could simplify international operations, it also requires Data Controllers to enhance their due diligence and ensure compliance with these standards. Specifically, that the receiving destination should have laws substantially similar to the PDPA or provide an adequate level of protection in relation to the processing of personal data that is at least equivalent to the protection afforded by the PDPA. Data Controllers can rely on other exceptions mentioned in the Act itself.
Assigned Accountability with a Data Protection Officer
The requirement for Data Controllers to appoint a Data Protection Officer (DPO) under the PDPA Amendment 2024 amendments significantly increases organisational accountability in several ways:
1. Dedicated Oversight: The DPO is responsible for ensuring that the organisation complies with data protection laws and policies. This includes monitoring data processing activities, conducting regular audits, and providing advice on data protection impact assessments
2. Central Point of Contact: The DPO serves as the main point of contact for data protection authorities and individuals whose data is being processed. This facilitates better communication and quicker resolution of data protection issues
3. Enhanced Compliance: By having a dedicated officer, Data Controllers are more likely to stay updated with the latest data protection regulations and best practices. This proactive approach helps in mitigating risks associated with data breaches and non-compliance
4. Training and Awareness: The DPO is also responsible for training staff on data protection principles and practices. This ensures that all employees are aware of their responsibilities and the importance of protecting personal data
5. Policy Development: The DPO plays a crucial role in developing and implementing data protection policies and procedures tailored to the organisation's specific needs. This helps in creating a robust data protection framework
Greater Transparency in Handling Data Breaches
The new Data Breach Notification (DBN) requirements promote transparency and encourage better data protection practices, with several important requirements for Data Controllers:
1. Mandatory Notification: Data Controllers and Data Processors are required to notify both the Personal Data Protection Commissioner (PDPC) and the affected individuals in the event of a data breach which includes incidents such as breach, loss, misuses or unauthorised access of personal data. This mandatory notification must be done within a specified timeframe, typically within 72 hours of becoming aware of the breach.
2. Transparency and Trust: By promptly notifying affected individuals, Data Controllers can maintain transparency and build trust with their customers. This can help mitigate the negative impact on the organisation's reputation and customer relationships
3. Preparedness and Response: Data Controllers need to have robust incident response plans in place to quickly identify, assess, and respond to data breaches. This includes having clear procedures for detecting breaches, assessing their impact, and notifying the relevant parties.
4. Legal and Financial Implications: Failure to comply with the notification requirements can result in significant penalties, including fines and potential legal action. This emphasises the importance of adhering to the new regulations to avoid financial and legal repercussions.
5. Enhanced Security Measures: The requirement for data breach notifications encourages Data Controllers to implement stronger security measures to prevent breaches from occurring in the first place. This includes regular security audits, employee training, and the use of advanced security technologies.
6. Customer Support: Data Controllers must be prepared to provide support to affected individuals, such as offering credit monitoring services or guidance on how to protect their personal information following a breach.
Keeping Up With Future Developments
As Malaysia strengthens its data protection framework with the PDPA Amendment 2024, it is crucial for organisations and DPOs to keep pace with regulatory changes to mitigate risks and reinforce consumer trust. Collaboration across departments are needed to ensure the successful upkeep of a compliant Data Protection Management Programme (DPMP) that addresses gaps with the appropriate controls. To support this, professional development courses such as Data Protection Principles in Asia – Philippines, Malaysia and the Malaysia Hands-on DPO Training can equip your organisation’s DPO or staff with the necessary expertise.
To help clarify the recent legislative developments and additional impacts of Generative AI, we will also be holding an in-person workshop in Kuala Lumpur, Malaysia on 10 April 2025. There, our team will highlight some resources and tools that can support DPOs with their expanded responsibilities. More information will be available on the Straits Interactive website soon.
Ultimately, protecting personal data is not just a legal obligation but a collective responsibility in building a trusted data-driven world.
Capabara, our Next-Gen AI Capability-as-a-Service platform, is currently available on a limited trial basis. If your company is interested in developing generative AI competencies and capabilities with us, write in to sales@straitsinteractive.com with your company email address. You can also stay tuned to Capabara’s latest developments by following CAPABARA on LinkedIn or heading over to capabara.com to find out more about how your organisation can be empowered through safe, secure and sustainable generative AI adoption.
This article was originally published on 17 Mar at the Governance Age.
