Malaysia’s Data Protection Overhaul: Key Changes and Impacts on Business
Malaysia has recently introduced significant amendments to its Personal Data Protection Act (PDPA) to enhance data security and align with global standards. The recent amendments to the PDPA introduce several new requirements, including mandatory data breach notifications, the appointment of Data Protection Officers, new rules for cross-border data transfers, and expanded responsibilities for data processors.
Appointment of data protection officers
Under the new amendments, businesses are now required to appoint a Data Protection Officer (DPO). The DPO is responsible for overseeing data protection strategies, ensuring compliance with the law, and serving as a point of contact for data protection issues. This requirement places an added administrative burden on businesses but also provides a structured approach to handling data security.
New legal obligations for data processors
The revised PDPA extends specific obligations directly to data processors, not just data users. Data processors must now ensure compliance and take practical steps with security standards, maintain accurate records of processing activities, and assist data users in meeting their obligations. This change impacts businesses that process data on behalf of other entities, increasing their responsibilities and potential liability.
Further, data processors that fail to comply face a fine of up to 1 million ringgit (US$232,000) and/or imprisonment of up to 3 years.
Changes to the definition of data users
The PDPA changes the term ‘data user’ with ‘data controller’ to make it more aligned with the definition used in other jurisdictions worldwide.
Changes to rules on cross-border transfers
Malaysia has removed the “white-list” system that previously allowed data transfers to countries deemed to have adequate data protection. Now, data transfers to any country are allowed, provided certain safeguards are met, such as contractual clauses or binding corporate rules. This change gives businesses more flexibility in cross-border data transfers but requires them to take additional steps to ensure compliance.
Mandatory data breach notification
Businesses must now notify authorities and affected individuals of any data breach within a specified timeframe to the Data Protection Commissioner. This mandatory notification aims to increase transparency and ensure prompt action to mitigate the impact of breaches. Failure to comply with this requirement can result in substantial penalties.
Increased penalties for breach of personal data protection principles
The amendments introduce higher penalties for non-compliance with personal data protection principles, including fines and imprisonment.
The new fine for non-compliance is now of up to 1 million ringgit (US$232,000) and/or imprisonment of up to 3 years, an increase from the previous fine of 300,000 ringgit (US$69,749) and/or imprisonment of up to 2 years.
These stricter penalties serve as a deterrent against data breaches and encourage businesses to prioritize data security measures.
Conclusion
The changes to Malaysia’s PDPA represent a significant shift towards stricter data protection regulations, impacting all businesses handling personal data. Companies must now reassess their data protection practices, appoint dedicated officers, ensure compliance with cross-border data transfer rules, and prepare for potential breaches to avoid severe penalties.
About Us
ASEAN Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia and maintains offices throughout ASEAN, including in Singapore, Hanoi, Ho Chi Minh City, and Da Nang in Vietnam, in addition to Jakarta, in Indonesia. We also have partner firms in Malaysia, the Philippines, and Thailand as well as our practices in China and India. Please contact us at asean@dezshira.com or visit our website at www.dezshira.com.