The recent Malaysia Personal Data Protection (Amendment) Act 2024 introduces significant updates to the Personal Data Protection Act of 2010 (PDPA), as the region strives to strengthen its personal data protection regulations. The Amendment Act will take effect in three tranches commencing from 1st January 2025 with the bulk changes coming into force from 1st April 2025. The following are the key amendments that organisations must take note of:
- Revision of the term “Data Users” to “Data Controllers”.
- Data Processors are now obliged to take steps to protect personal data from loss, and misuse among other potential risks.
- Narrowing the scope of “personal data” to exclude personal data of deceased individuals while recognising ‘biometric data’ as personal data.
- Data Controllers and Data Processors must appoint a Data Protection Officer (DPO) who will be accountable to the Data Controller and Data Processor for ensuring the organisation’s adherence to the PDPA.
- Permitting personal data to be transferred from Malaysia to countries with substantially similar laws or ensuring equivalent levels of protection.
- Allowing personal data to be transferred to another service which facilitates easier switching between service providers.
- Data Controllers must notify the Commissioner of any breach or face a fine of up to RM250,000 (approx. $57,088) and/or up to two years in prison.
- Increased penalties for breach of personal data protection principles to a fine of up to RM1,000,000 (approx. $228,350) and/or up to three years imprisonment.
As the Amendment Act comes into effect, businesses should begin preparing for the additional compliance obligations that will arise. This includes careful consideration in the appointment of a DPO, as well as reviewing the categories of personal data in their possession and control.
It is imperative businesses ensure their data protection programme adequately includes processes for managing personal data breaches, incident response protocols and cross-border personal data transfer mechanisms. HewardMills’ team of data protection and privacy experts can support organisations navigate compliance with the new requirements and with the appointment of a DPO.
