Introduction
The long-anticipated Personal Data Protection (Amendment) Bill 2024 has been introduced in Malaysia, proposing significant changes to the existing Malaysia Personal Data Protection Act (PDPA) of 2010. This legislative update aligns with global data privacy standards and addresses the rapidly evolving digital landscape. For businesses, understanding these changes is essential to ensure compliance and avoid hefty penalties. In this article, we will explore the critical aspects of the amendment bill and its implications for organisations operating in Malaysia.
Key Changes in the Amendment Bill
1. Direct Obligations for Data Processors
A noteworthy shift in the amendment bill is the imposition of direct obligations on data processors. Previously, only data controllers were responsible for the handling and protection of personal data. Now, data processors must adhere to the security principle. This means they must take active steps to secure personal data against loss, misuse, or unauthorized access. Failure to comply could result in fines of up to MYR 1 million (USD 216,000) and/or three years of imprisonment. This change increases accountability across the board, promoting a more robust data protection environment.
2. Mandatory Data Breach Notification
Under the new bill, data breach notifications have become mandatory. Data controllers must inform the Commissioner promptly if they believe a data breach has occurred. Additionally, if the breach significantly harms or could harm data subjects, controllers are required to notify the affected individuals without delay. This prompt reporting aims to enhance transparency and allows individuals to take necessary measures to protect themselves from potential harm.
3. Requirement to Appoint Data Protection Officers
The amendment bill mandates that both data controllers and processors appoint at least one Data Protection Officer (DPO). The DPO will oversee compliance with the PDPA, ensuring that data management practices align with the regulatory framework. This requirement underscores the importance of internal oversight and structured compliance frameworks within organisations.
4. Expanded Data Subject Rights
The amendment bill introduces a new data portability right, which grants data subjects the ability to request the transfer of their personal data from one data controller to another, provided it is technically feasible. This aligns with global trends that empower individuals to control their data and facilitate seamless transfers between service providers. Additionally, the scope of sensitive personal data is expanded to include biometric data, adding another layer of protection for individuals’ uniquely identifiable information.
5. Updated Rules for Cross-Border Data Transfers
The amendment bill replaces the existing whitelist approach with a general legal basis for cross-border data transfers. This allows the transfer of personal data to countries with substantially similar privacy protections. Alternatively, the recipient country must ensure an adequate level of data protection equivalent to Malaysia’s PDPA. This approach streamlines cross-border data flows while safeguarding personal information.
6. Exclusion of Deceased Individuals from the Definition of Data Subjects
Interestingly, the amendment bill revises the definition of data subjects, excluding deceased individuals from its purview. Consequently, the PDPA will no longer apply to the personal data of deceased individuals, which could impact businesses handling such data, including those in sectors like insurance and healthcare.
Increased Penalties for Non-Compliance
The amendment bill raises the stakes for compliance, with penalties for non-adherence to the seven data protection principles set out in the PDPA. Directors, CEOs, and other responsible officers may face personal liability, emphasising the need for robust compliance mechanisms. Under the new bill, fines can reach MYR 1 million (USD 216,000), with the potential for imprisonment. The introduction of these penalties reflects a commitment to enforcing the PDPA and ensuring that data controllers and processors prioritise data protection.
Additional Guidelines on the Horizon
In January 2024, the Minister of Digital announced the development of seven supplementary guidelines to support the PDPA amendments. These include guidelines on data breach notifications, DPO roles, data portability, and cross-border data transfers. These upcoming guidelines will provide clarity and support for businesses as they navigate the enhanced requirements.
Preparing for Compliance: How Formiti’s Malaysia PDPA Service Can Help
The Personal Data Protection (Amendment) Bill 2024 signifies a substantial shift in Malaysia’s data protection landscape. With new obligations and stringent penalties, organisations must prioritise compliance to safeguard both their reputation and their bottom line.
At Formiti, we offer comprehensive Malaysia PDPA services designed to help businesses navigate these complex regulatory requirements. Our team of experts can assist you in appointing qualified Data Protection Officers, implementing effective data breach response plans, and ensuring compliance with cross-border data transfer rules. With Formiti’s support, you can confidently adapt to the new regulatory environment and focus on what matters most – your business.
For organisations in Malaysia, staying ahead of these changes is crucial. Embrace the opportunities the amendment bill brings by investing in a proactive compliance strategy. Let Formiti guide you through the evolving data protection landscape and ensure your business is fully prepared to meet the demands of the Personal Data Protection (Amendment) Bill 2024.