PDPA Alert: Proposed introduction of data breach notification
15 April 2019
The Personal Data Protection Department is reviewing and proposing amendments to the Personal Data Protection Act 2010 (“Act”) to ensure it is aligned with new developments and international requirements of data protection law, particularly the European Union’s General Data Protection Regulation which came into force on 25 May 2018 with extra-territorial effects.
The Personal Data Protection Department has proposed amendments to the Act that cover cross border data transfer and has introduced a data breach notification requirement. The proposals are set out in the recent two public consultation papers which were issued by the Personal Data Protection Commissioner (“Commissioner”), one pertaining to the whitelist places for transfer of personal data outside Malaysia (the proposed “Whitelist”) and the other on the implementation of data breach notification.
For more information on the proposed Whitelist, please see: https://www.taypartners.com.my/en/index.php/insidertaps-20170407 and the PDPA alert: http://www.taypartners.com.my/en/index.php/insidertaps-20170407.
The public consultation paper on the implementation of data breach notification was published on 7 August 2018 with the purpose of introducing the requirement for data users to notify the Commissioner of a data breach within 72 hours of becoming aware of the breach and to provide the Commissioner with the following information in the data breach notification:-
- a summary of the data breach, including the type and amount of personal data involved in the breach and the estimated number of affected data subjects;
- the details of any actions or measures which have been or will be taken to contain the breach and a description of the potential harm, especially towards the affected data subjects;
- the identity of the persons who have been notified about the breach, information on whether other regulatory bodies or law enforcement agencies have been notified about the breach, a description of the method by which data subjects are notified about the breach and the advice given to the affected data subjects; and
- the details of any training or awareness programme provided to the employees prior to the breach, particularly in the last 24 months and the detailed guidance provided to the employees on the handling of personal data.
The consultation document is available at: http://www.pdp.gov.my/images/pdf_folder/PCP-1-2018-DBN-Ver2.pdf
The data breach notification requirement is expected to be implemented by way of imposing conditions to the certificate of registration issued by the Commissioner to the data users. Based on the public consultation paper, the data breach notification requirement appears to apply only to data users under the 13 classes of data users who are required to be registered with the Commissioner.
If you have any queries or require more information, please feel free to get in touch with us.
Lee Lin Li
T: +603 2050 1898