Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In Cybersecurity

Malaysia: Q&A on Appointment of Data Protection Officer and Data Breach Notification

by , and 13 Mins Read

The guidelines on Appointment of Data Protection Officer (DPO) and Data Breach Notification (DBN) respectively have now been published by the Personal Data Protection Commissioner (Commissioner). They provide the necessary details to supplement sections 12A and 12B of the Personal Data Protection Act 2010 (PDPA), which will come into force on 1 June 2025.

We highlight key information from the guidelines in a question and answer (Q&A) format below, aiming to assist organisations, whether as data controllers1 or data processors2, in their next steps to comply with the new legal obligations on DPO and DBN.

Data Protection Officer

1. Who must appoint a DPO?

Every data controller and data processor must appoint one or more DPO(s), in any of the following scenarios:

  • Processing of personal data involving more than 20,000 data subjects
  • Processing of sensitive personal data3 including financial information data involving more than 10,000 data subjects
  • Processing of personal data involving activities that require regular and systematic monitoring (e.g., CCTV, connected devices, tracking and profiling data subjects for behavioural advertising)

2. From whom may the DPO be appointed?

From among existing employees or through outsourcing services.

If outsourced, there must be a contract describing the duties and obligations of the DPO, and if the contract is with an entity, specifying the individual designated as the person-in-charge for liaising with the data controller/processor.

3. What is the nature of the DPO’s appointment?

  • The DPO’s position may be a part-time or full-time role, taking into account the organisation’s function, structure and size.
  • The DPO may have other responsibilities (e.g., legal, risk management), provided that it does not result in a conflict of interest.
  • The DPO should have direct reporting access to senior management of the organisation.
  • The DPO must not be dismissed for performing their duties in good faith, unless they have breached applicable laws or been found to have committed negligence or misconduct.
  • The appointment of DPO does not discharge the organisation’s compliance obligations. The organisation remains responsible and liable for any non-compliance with the PDPA.

4. Who can become a DPO?

Skills, qualities and expertise: The DPO must be able to demonstrate a sound level of all of the following:

  • Knowledge on the PDPA and other applicable data protection requirements
  • Understanding of the organisation’s business operations and the personal data processing operations
  • Understanding of information technology and data security• Personal qualities such as integrity, understanding of corporate governance and high professional ethics
  • Ability to promote data protection culture within the organisation

Language: The DPO must be proficient in both Malay and English languages.

Residency: The DPO must be either resident in Malaysia (i.e., physically present in Malaysia for at least 180 days in a calendar year) or easily contactable via any means.

5. Can one DPO be appointed to serve multiple organisations?

Yes, provided that the DPO is easily accessible by the different organisations receiving the DPO’s service.

6. What are the roles of the DPO vis-à-vis the data controller/processor?

The minimum core responsibilities of the DPO include all of the following:

  • Inform and advise the organisation on the processing of personal data• Support the organisation in complying with the PDPA and other related data protection laws, including staying informed of the risks affecting the organisation
  • Support the carrying out of data protection impact assessments
  • Monitor personal data compliance of the organisation
  • Ensure proper data breach and security incident management, by assisting the organisation to attending tothe necessary on personal data breaches within the prescribed periods

In performing the duties, the DPO must adopt a risk-based approach in assessing risks from the perspective of the organisation’s processing operations, and coordinate with relevant personnel of the organisation as necessary.

7. What are the roles of the DPO vis-à-vis the data subjects and the Commissioner?

The DPO must act as a facilitator and point of contact between the data subjects and the organisation, such as to handle data access or correction requests.

The DPO must also act as the liaison officer and main point of reference between the Commissioner and the organisation, such as to represent the organisation in industry engagement sessions.

8. What happens if the DPO ceases the service or reaches the end of the term of appointment?

The data controller/processor must reappoint or hire a replacement within a reasonable timeframe. An interim DPO must be appointed as soon as possible to monitor communications in the dedicated email account for the DPO.

9. What are the notification requirements about the DPO’s appointment?

Only the data controller (and not the data processor) must notify the appointment of the DPO and the business contact information4, within 21 days from the appointment date, through http://daftar.pdp.gov.my. Changes to the DPO or the business contact information must be notified within 14 days.

10. What are the other key obligations of data controllers/processors regarding the DPO?

  • Create a dedicated email account for the DPO (i.e., separate from the personal or work email address of the individual), which must be actively monitored.
  • Publish the business contact information of the DPO on the official website (or other official media),personal data protection notices, and/or security policies and guidelines.
  • Ensure that the DPO has sufficient training and skills by attending relevant courses or training programmes.
  • Ensure that the DPO is involved in all matters related to personal data protection in a timely manner. This includes starting from the earliest stage of the data processing lifecycle (i.e., policy formulation) to the collection, storage and deletion or destruction of personal data.
  • Ensure that the DPO is provided with adequate resources to perform their functions with sufficient independence and autonomy and to carry out tasks effectively.
  • Maintain and retain records of the appointed DPO.

Data Breach Notification

1. What is a personal data breach?

The PDPA statutorily defines “personal data breach” as any breach of personal data, loss of personal data, misuse of personal data or unauthorised access of personal data.

Pursuant to the DBN guidelines, it broadly refers to any event or incident that leads or is likely to lead to the aforementioned breach. It is not limited to modification, duplication, alteration or destruction, and may be caused by accidental or deliberate actions, either internally or externally.

2. To whom and when must a personal data breach be notified?

Notification to the Commissioner only: When a personal data breach is of a significant scale i.e., involving more than 1,000 affected data subjects.

Notification to both the Commissioner and the affected data subjects: When a personal data breach causes or is likely to cause “significant harm” i.e., there is a risk for any of the following scenario with respect to the compromised personal data:

  • May result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property
  • May be misused for illegal purposes
  • Consist of sensitive personal data
  • Consist of personal data and other personal information which, when combined, could potentially enable identity fraud

3. Who is responsible to notify?

The data controller (and not the data processor).

If a notifiable personal data breach involves multiple data controllers, each data controller must submit its own separate notification to the Commissioner.

4. What is the timeframe to notify the Commissioner?

As soon as practicable and no later than 72 hours, from the occurrence of the personal data breach.

With respect to the computation of the 72-hour timeframe, once the data controller is informed of or detects a security incident5, it must conduct a preliminary investigation to determine whether a personal data breach has actually occurred.

If the data controller fails to notify within 72 hours, it must submit a written notice to the Commissioner, detailing the reasons for the delay and providing supporting evidence, which must include documentation of the incident timeline, internal communications and any technical issues or external factors that contributed to the delay.

5. What is the timeframe to notify the affected data subjects?

Without unnecessary delay and no later than 7 days, after the initial notification to the Commissioner.

6. How to notify the Commissioner?

By completing the prescribed notification form (see Annex B of the DBN guidelines or otherwise published on www.pdp.gov.my) and submitting it either electronically (e.g., to dbnpdp@pdp.gov.my) or physically to the Commissioner.

Further to the above, the data controller must provide all of the following information:• Details of the personal data breach, including:

  • Date and time the personal data breach was detected by the data controller
  • Type of personal data involved and the nature of the breach• Method used to identify the breach and the suspected cause of the incident
  • Number of the affected data subjects
  • Estimated number of the affected data records
  • Personal data system affected, which resulted in the breach

• Potential consequences arising from the personal data breach

• Chronology of events leading to the loss of control over personal data

• Measures taken or proposed to be taken by the data controller to address the personal data breach, including steps implemented or planned to mitigate the possible adverse effects of the breach

• Measures taken or proposed to be taken to address the affected data subjects

• Contact details of the DPO or any other relevant contact person from whom further information on the personal data breach may be obtained

The information listed above may be provided in phases if needed, but as soon as practicable and no later than 30 days from the date of the initial notification to the Commissioner.

The data controller’s DPO must act as the main point of contact for any inquiries or requests from the Commissioner regarding the personal data breach. If a DPO is not required to be appointed, the data controller must name a representative with sufficient seniority and expertise to act as the point of contact.

7. How to notify the affected data subjects?

The notification must include all of the following information:

  • • Details of the personal data breach that has occurred
  • • Details on the potential consequences resulting from the personal data breach
  • • Measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
  • • Measures that the affected data subjects may take to eliminate or mitigate any potential adverse effects resulting from the data breach
  • • Contact details of the DPO or other contact point from whom more information regarding the personal data breach can be obtained

The notification must be provided directly and individually to the data subjects in a practicable manner using intelligible language appropriate to the circumstances. This is to allow the data subjects to take necessary precautions or other measures to protect themselves against the possible adverse effects of the breach.

However, if direct notification is not practicable or requires a disproportionate effort, the data controller may use alternative means of notification, such as public communication or any similar method that effectively informs the affected data subjects of the personal data breach.

The form of notification used to inform the affected data subjects of the personal data breach should be sent separately from other information (e.g., regular updates, standard messages), so that the communication of the breach is clear and transparent.

8. What may happen after notification to the Commissioner?

The Commissioner may conduct an investigation into the data controller to determine whether any act, practice or request violates the PDPA. The Commissioner may also direct the data controller to submit records related to data breach notifications or any report documents.

9. What are the other key obligations of data controllers regarding the DBN?

Contractual obligations on data processors: Require them to promptly notify the data controllers about any data breach that has occurred, and to provide the data controllers all reasonable and necessary assistance to meet the data breach notification obligation under the PDPA.

Data breach management and response plans: Put in place such plans, which must at least outline policies and procedures to address all of the following:

  • • Personal data breach identification and escalation procedures
  • • Roles and responsibilities of relevant stakeholders• Steps to contain and mitigate the impact of the breach
  • • Steps to determine whether it is necessary to notify the Commissioner and the affected data subjects
  • • Communication plan for notifying the Commissioner and the affected data subjects
  • • Post-incident review

Record keeping: Keep records and maintain a register detailing personal data breach for a period of at least 2 years from the notification date to the Commissioner (including those that did not meet the notification criteria for informing the Commissioner or the affected data subjects). The register should at least document all of the following information:

• Description of the personal data breach, including the date and time the data controller became aware of the personal data breach, an analysis and identification of the root cause, the type of personal data involved, the estimated number of the affected data subjects, the estimated number of the affected data records and the compromised personal data system which allowed the breach to occur

• Description of the likely consequences of the personal data breach

• Description of a chronology of the events leading to personal data breach

• Containment and recovery measures taken to address the personal data breach

Details of notifications made to the Commissioner and the affected data subjects and justification for not making notifications, where applicable

The above record keeping documents must be made available when requested by the Commissioner.

10. What are the other key issues for data controllers regarding the DBN?

Assessing the data breach: Data controllers should act promptly as soon as they become aware of any personal data breach to assess, contain and reduce the potential impact of the data breach. Data controllers should also conduct a post-breach evaluation to review the effectiveness of the data breach management and response plan, as well as their data protection practices and policies to prevent the recurrence of similar incidents.

Notification obligations under other laws: Apart from DBN under the PDPA, there may be other similar notification obligations in Malaysia (e.g., with the National Cyber Security Agency, Bank Negara Malaysia). Data controllers should identify the relevant notification requirements that may applicable and establish internal processes to facilitate compliance.

Training: Data controllers should conduct periodic training, as well as awareness and simulation exercises, in order to ensure that the employees are aware of their roles and responsibilities in assisting the data controllers responding to the personal data breach.

1Data controllers are those (other than data processors) who (either alone or jointly or in common with other persons) process any personal data or have control over or authorise the processing of any personal data.

2Data processors are those (other than employees of the data controller) who process personal data solely on behalf of the data controller and do not process the personal data for any of their own purposes.

3Sensitive personal data includes personal data relating to: (a) physical or mental health or condition; (b) political opinions: (c) religious or similar beliefs; (d) commission or alleged commission of offence; or (e) biometric data

4Business contact information includes DPO’s name, position or title, business telephone number, business address, and the dedicated email address for the DPO.

5Security incident means an event or occurrence that affects or tends to affect data protection or may compromise the availability, confidentiality or integrity of data.

Categories:
Tags:
Author

Kherk Ying Chew heads the Intellectual Property and Dispute Resolution Practice Groups of Wong & Partners. She has decades of experience in intellectual property (IP), commercial litigation, corporate compliance, information technology and Internet regulatory issues.

Author

Serene Kan is a Partner in Baker McKenzie's Kuala Lumpur office.

Author

Chun Hau Ng is an Associate in Baker McKenzie's Kuala Lumpur office.

Related Posts