The Department of Personal Data Protection (‘PDP’) published, on 7 August 2018, Public Consultation Paper No.1/2018 entitled The Implementation of Data Breach Notification (‘the Consultation Paper’). The Consultation Paper seeks feedback from data users, as well as relevant parties, in relation to personal data breach management, to be submitted to the Personal Data Protection Commissioner (‘the Commissioner’), as well as encourages suggestions of other criteria with the expected implementation of the data breach notification requirements.
Adlin Abdul Majid, Partner at Lee Hishammuddin Allen & Gledhill, told DataGuidance, “The introduction of data breach notification requirements is a natural next course of action that has been adopted in other jurisdictions […] to ensure that such issues are sufficiently addressed and appropriately managed. […] Further, this […] may have also been a response to similar requirements imposed under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). If implemented, the introduction of such data breach requirements [proposed in the Consultation Paper] would mean that organisations currently operating in Malaysia will need to take proactive steps in managing data breaches that occur within their organisations. The implementation of such requirements would also complement existing data protection laws in Malaysia, which require data users to take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.”
The plan to implement data breach notification is a good initiative by the Commissioner which will ensure that Malaysian data protection laws are more aligned with […] other jurisdictions
Currently, in Malaysia, there are no general data breach notification requirements, however, there are such requirements in place for the financial services sector, as issued by the Central Bank of Malaysia. The Consultation Paper lists a number of data breach notification elements, consisting in the information to be submitted to the Commissioner when notifying it of a data breach. These include details in relation to the data breach itself, the containment or control measures taken, the number of affected data subjects, as well as the training and guidance that the organisation suffering a data breach have implemented. In addition, the Consultation Paper proposes the inclusion of information regarding who has been notified about the breach, as well as suggests that the Commissioner must be notified of the given data breach within 72 hours of discovery.
Abdul Majid concluded, “The plan to implement data breach notification is a good initiative by the Commissioner which will ensure that Malaysian data protection laws are more aligned with […] other jurisdictions. It is however important for specific guidance to be provided by the Commissioner on this matter, for example, what kind of breach would necessitate notification and who notification should be made to, for example whether to the Commissioner, other regulatory bodies, or data subjects. Thus, affected parties must provide feedback to the Commissioner […] to ensure that industry issues are adequately taken into account in coming up with the requirements and in ensuring the viability of such requirements being imposed in Malaysia.”
Public consultation on the Consultation Paper is open until 21 August 2018.
HOLLY HIGHAMS Privacy Analyst