Ever since the Personal Data Protection (Amendment) Act 2024 was officially gazetted on 17 October 2024, one of the most frequently asked questions we received centers around the new data breach notification obligations introduced under the amended law. Given the substantial impact these new data breach notification obligations have on compliance operations, organizations will need to implement new processes, update policies, and ensure their compliance frameworks are robust enough to manage these obligations effectively.
In this article, we will explore 5 key takeaways on the data breach notification requirement, offering insights designed to assist general counsels, data protection officers, compliance officers, and in-house lawyers in preparing for and responding to these changes.
- 1. Understanding ‘Personal Data Breach’
- To fully grasp the data breach notification requirements, organizations must first appreciate the definition of a personal data breach. The Personal Data Protection (Amendment) Act 2024 defines a personal data breach as “any breach of personal data, loss of personal data, misuse of personal data, or unauthorized access to personal data.” This broad definition is intentional, covering a wide array of scenarios where data may be compromised.
- Given the breadth of the definition for personal data breach, organizations should evaluate their data breach and incident response protocols to account for this broad definition and ensure that personal data breaches are appropriately identified, classified, and escalated within their risk management frameworks.
- .
- 2. Obligation to Notify the Personal Data Protection Commissioner
- Under the Personal Data Protection (Amendment) Act 2024, if a data controller (a term which replaces the previous “data user”) has reason to believe a personal data breach has occurred, it is required to notify the Personal Data Protection Commissioner “as soon as practicable.”
- At the time of writing, while there is currently no detailed guidance on the specific timeframe or required information for such data breach notifications, it may be helpful to consider recent legislative trends for guidance. For instance, under the Cyber Security Act 2024, NCII entities must notify immediately upon becoming aware of a cyber security incident, followed by additional reports by the six hours and fourteen days timeframes, detailing information on the incident’s severity, method of discovery, particulars of the threat actors involved, response actions taken, and impacts.
- We trust that it is reasonable to expect that the data breach notification guidelines under the Personal Data Protection (Amendment) Act 2024 may take cues from similar standards and frameworks, and we should be expecting proper regulations to be issued in due course.
- .
- 3. Obligation to Notify the Data Subject
- Unlike the Cyber Security Act 2024, which mandates upward notification to authorities only, the Personal Data Protection (Amendment) Act 2024 also mandates notifying data subjects directly if the personal data breach causes or is likely to cause significant harm to the data subjects.
- Although detailed specifics on the required timeframe and content of these notifications have yet to be provided, organizations should take this obligation very seriously for two practical reasons.
- First, data breaches often affect substantial volumes of personal data, creating logistical challenges and the need for robust protocols to ensure affected individuals are notified promptly and accurately. Coordinating this process demands that organizations prepare effective notification mechanisms to address a potentially large number of affected data subjects.
- Second, notifying data subjects directly introduces public relations and investor relations considerations. When a personal data breach occurs, how an organization responds will likely have lasting impacts on its reputation and the trust it commands. Beyond the personal data breach itself, stakeholders, including customers, investors and partners will assess the organization’s crisis management approach. The way organizations respond to and manage a personal data breach—not just the fact that a breach occurred—will likely become a defining factor in shaping public trust and brand integrity.
- .
- 4. Consequences of Non-Compliance with Data Breach Notification Requirements
- The consequences of non-compliance under the Personal Data Protection (Amendment) Act 2024 are substantial.
- Failure to comply with the data breach notification requirement can result in serious penalties, including a fine of up to RM250,000, imprisonment of up to two years, or both, upon conviction. These penalties underscore the critical importance of prompt and proper notification in the event of a personal data breach. Hence, organizations should view this as a compliance imperative, as both financial and reputational risks are at stake.
- .
- 5. Proactive Measures: What Organisations Should Do Moving Forward
- As we approach 2025, a proactive approach to data protection will be crucial. In-house legal teams and compliance departments should prioritise updating policies, enhancing internal protocols, revising handbooks, and conducting organisation-wide training to align with these new requirements introduced in the Personal Data Protection (Amendment) Act 2024.
- Malaysia’s regulatory landscape is placing an increasing emphasis on corporate governance and data protection compliance. Given the significant penalties, including imprisonment, for non-compliance, organisations must ensure their data breach response frameworks are robust. A strategic step forward would be to engage legal professionals skilled in data protection law to assist with compliance gap analyses, privacy handbook updates, and training sessions for directors and relevant teams. By doing so, organisations can mitigate the risk of penalties and enhance their preparedness to handle potential breaches with confidence.
- .
Conclusion
The data breach notification requirements introduced under the Personal Data Protection (Amendment) Act 2024 signify a pivotal shift in Malaysia’s data protection landscape, reflecting global best practices and the importance of transparency in managing personal data. With comprehensive strategies and proactive planning, organizations can navigate this regulatory shift with confidence, safeguarding both their compliance standing and the trust of their stakeholders.
If your organisation needs help with crafting a protocol for the handling of personal data requests from data subjects, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my
.
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
More of our Tech articles that you should read: