˂  Back

Preparing for the Personal Data Protection (Amendment) Act 2024: A Three-Stage Implementation Plan

As we enter 2025, one of the most highly anticipated pieces of legislation being closely monitored by in-house counsels and regulatory departments is undoubtedly the implementation of the Personal Data Protection (Amendment) Act 2024. The Personal Data Protection (Amendment) Act 2024 is poised to bring significant legal and regulatory changes to data privacy, building upon the framework established by the Personal Data Protection Act 2010 when it was first introduced.

.

Staged Implementation of the Personal Data Protection (Amendment) Act 2024

The Personal Data Protection (Amendment) Act 2024 has officially come into operation in 2025, but its implementation will not occur all at once. Instead, it will be rolled out in three stages, commencing on 1 January 2025, followed by 1 April 2025, and lastly on 1 June 2025.

It is important to note that these three stages of implementation are not equal in terms of their seriousness and impact. The amendments introduced in the first stage are relatively modest and are unlikely to impose substantial changes on organizations. However, the second and third stages will usher in more significant amendments, demanding heightened attention and thorough preparation, particularly as the implementation progresses. This article aims to provide a broad overview of what will transpire at each stage of implementation, including key takeaways on how to prepare for these changes.

.

First Implementation Stage: 1 January 2025

By 1 January 2025, Sections 7, 11, 13, and 14 of the Personal Data Protection (Amendment) Act 2024 will come into operation.

To provide a broad overview without delving into every detail, the amendments in the first stage primarily concern minor adjustments, such as amending the national language in Subsection 16(3) of the Personal Data Protection Act 2010 by substituting the word “Pendaftar” with “Pesuruhjaya”, amending Section 67 of the Personal Data Protection Act 2010 by deleting the words “, after consulting the Minister,”, and amending Subsection 136(1) of the Personal Data Protection Act 2010 by inserting “(aa) by way of electronic means;”.

These changes are relatively minor and are not expected to significantly impact organizations, and it is safe to say that the first implementation stage primarily involves administrative updates and preparatory measures.

.

Second Implementation Stage: 1 April 2025

The second implementation stage, set to take effect on 1 April 2025, will have broader implications as Sections 2, 3, 4, 5, 8, 10, and 12 of the Personal Data Protection (Amendment) Act 2024 come into operation.

.

Without covering every amendment in detail, here are 5 key takeaways that warrant particular attention:

  1. 1. Change from “Data User” to “Data Controller”
  2. Under the Personal Data Protection Act 2010, a “data user” is defined as a person who processes any personal data or has control over or authorizes the processing of any personal data.
  3. In the Personal Data Protection (Amendment) Act 2024, this term “data user” will be replaced with “data controller,” aligning more closely with terminology used in other jurisdictions such as the EU, UK, and Singapore, and organizations should update their PDP notices, contracts, and other documentations to reflect this change.
  4. .
  5. 2. Introduction of Biometric Data
  6. Biometric data, defined as personal data resulting from technical processing relating to the physical, physiological, or behavioral characteristics of a person, will be introduced under the Personal Data Protection (Amendment) Act 2024 as a type of “sensitive personal data”.
  7. With advancements in technology and the increasing use of biometric data in AI applications, this inclusion of “biometric data” under the purview of the Personal Data Protection Act 2010 is timely and reflects the growing importance of protecting such sensitive information.
  8. .
  9. 3. Expanded Legal Obligations for Data Processors
  10. Under the Personal Data Protection Act 2010, the key legal obligations rested primarily on data controllers, without imposing direct legal obligations on data processors, and this has been a point of criticism, as many data users outsource data processing to processors for reasons such as cost-efficiency, scalability, and specialized expertise. However, without direct legal obligations, data processors may neglect adequate safeguards, and ensuring compliance and accountability became problematic.
  11. The Personal Data Protection (Amendment) Act 2024 now extends the Security Principle to data processors, requiring that data processors must also provide sufficient guarantees in respect of the technical and organizational security measures under Security Principle to protect personal data from loss, misuse, unauthorized access, or destruction.
  12. .
  13. 4. Heavier Penalties for Non-Compliance
  14. Under the Personal Data Protection (Amendment) Act 2024, penalties for non-compliance with the seven personal data protection principles, (i) the general principle, (ii) the notice and choice principle, (iii) the disclosure principle, (iv) the security principle, (v) the retention principle, (vi) the data integrity principle, and (vii) the access principle have been significantly increased.
  15. Previously, upon conviction, a data controller found liable faced penalties of a fine of up to RM300,000, imprisonment of up to two years, or both. However, the Personal Data Protection (Amendment) Act 2024 has raised these penalties substantially to a fine of up to RM1,000,000, imprisonment of up to three years, or both, reflecting the heightened emphasis on compliance and accountability under the revised framework.
  16.  
  17. 5. Removal of the Whitelist Regime for Cross-Border Transfers
  18. The Personal Data Protection (Amendment) Act 2024 eliminates the whitelist regime for cross-border data transfers and introduces a more pragmatic approach, as a data controller may now transfer personal data to a country outside Malaysia if the destination country satisfies one of two conditions: (i) it has a data protection law substantially similar to Malaysia, or (ii) it provides an adequate level of protection for the processing of personal data, equivalent to the standards under Malaysian law.
  19. This change simplifies the regulatory landscape by removing ambiguities associated with the previous whitelist regime, and it provides greater flexibility and clarity for data controllers when determining the legality of cross-border data transfers.
  20. .

Third Implementation Stage: 1 June 2025

The Third Implementation Stage, set for 1 June 2025, focuses specifically on Sections 6 and 9 of the Personal Data Protection (Amendment) Act 2024.

Although it only concerns these two sections, this stage will have the most substantial impact on organizations, as it introduces 3 new concepts that will significantly affect both operational and regulatory processes.

 

  1. 1. Appointment of Data Protection Officer (“DPO”)
  2. The first concept is the appointment of a DPO. Under the Personal Data Protection (Amendment) Act 2024, a data controller is required to appoint one or more DPOs who are accountable to the data controller for compliance with the law. Similarly, if the processing of personal data is carried out by a data processor on behalf of the data controller, the data processor must also appoint a DPO who is accountable to them for compliance purposes.
  3. Unlike merely designating a contact person in the Personal Data Protection Notice, the appointment of a DPO carries significant responsibility, and the law clearly indicates that the DPO will be held accountable for ensuring compliance with data privacy laws.
  4. At present, there are numerous concerns regarding the appointment of a DPO, such as questions about the minimum expertise and qualifications required, whether the DPO must be ordinarily resident in Malaysia, whether the role can be outsourced, or if a shared DPO can be appointed across multiple entities within the same group. These are valid and important questions that remain to be clarified, and as of now, the public consultation paper on the appointment of DPOs and other relevant amendments has already been circulated, and we anticipate that further clarification will be issued before the provisions come into force.
  5. .
  6. 2. Mandatory Data Breach Notification
  7. The second concept pertains to the data breach notification requirements. Under the Personal Data Protection (Amendment) Act 2024, if a data controller has reason to believe that a personal data breach has occurred, they are required to notify the Commissioner. Furthermore, if the breach is likely to cause significant harm to the data subject, the data controller must also notify the affected individual.
  8. Non-compliance with these data breach notification requirements carries serious consequences, including fines of up to RM250,000, imprisonment for up to two years, or both.
  9. Based on the personal data breach notification exercises we have conducted on behalf of organizations that have suffered personal data breaches, we have observed a common issue that many organizations lack internal policies or procedures detailing the steps to take in the event of a breach. Typically, when a data breach is discovered, there is often a chaotic response, with companies scrambling to determine what actions to take, and this reactive approach is akin to trying to find a fire extinguisher after the fire has already started. Therefore, especially with the mandatory data breach notification requirement now in place, companies should ensure they have a clear data breach policy or protocol, enabling them to respond quickly and appropriately when a data breach occurs.
  10. .
  11. 3. Right to Data Portability
  12. The third concept introduces the right to data portability. Under the Personal Data Protection (Amendment) Act 2024, a data subject may request the data controller to transmit their personal data to another data controller of their choice. This request must be made in writing via electronic means, and the transmission is subject to technical feasibility and compliance with the data format.
  13. The right to data portability aligns with global data privacy trends that empower individuals by granting them more control over who processes their personal data and how it is processed. As data subjects can now more easily transfer their data between data controllers, this reduces barriers to switching services. Therefore, moving forward, organizations will need to focus on addressing the challenges associated with data portability, particularly regarding technical feasibility, data format compatibility, and ensuring smooth data transfer processes.
  14. .

Conclusion

At the time of writing, there are approximately six months remaining for organizations to prepare for the implementation of the Personal Data Protection (Amendment) Act 2024. This six-month window should not be taken for granted. As an initial step, companies should begin reviewing and revising their PDP Notices and privacy policies or handbooks to ensure compliance with the latest amendments. Most importantly, for organizations that do not yet have these documents in place, now is the ideal time to start drafting them to ensure full compliance with all legal obligations under the data privacy law.

.

If your organization needs help with crafting a protocol for the handling of personal data requests from data subjects, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.


About the authors

Ong Johnson
Partner
Head of Technology Practice Group

Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my

.

Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.


More of our Tech articles that you should read:

Our Services

© 2000 – 2024 Halim Hong & Quek