Ever since the implementation of the Personal Data Protection (Amendment) Act 2024, which introduces the legal requirement for organizations to appoint a Data Protection Officer (“DPO”), this new mandate has sparked considerable discussion and even uncertainty. While the concept of a DPO is not new in other jurisdictions, this marks the first time that Malaysian organizations are legally required to appoint one.
In this article, we aim to provide clarity and deep insights by addressing the 10 most frequently asked questions we receive from our clients regarding the DPO appointment in Malaysia. Specifically, we will cover which organizations are required to appoint a DPO, whether the role can be outsourced or must be internally appointed, and under what circumstances would we recommend outsourcing the DPO function.
1. Which Organizations Must Appoint a DPO?
Under the Personal Data Protection (Amendment) Act 2024, an organization must appoint a DPO if it meets any one of the following 3 criteria:
i. Processes personal data of more than 20,000 data subjects;
ii. Processes sensitive personal data, including financial information, for more than 10,000 data subjects; or
iii. Involves activities that require regular and systematic monitoring of personal data.
Organizations should assess their data processing practices against these thresholds to determine whether they need to appoint a DPO. If there is uncertainty regarding the applicability of these criteria, it is advisable to consult a law firm for a legal opinion to confirm the necessity of appointing a DPO.
2. Is There a Minimum Professional Qualification Required To Be Appointed as a DPO?
At present, there is no prescribed minimum professional qualification, accreditation, or certification required to be appointed as a DPO under Malaysian law. However, an appointed DPO should meet the following 5 key criteria:
i. Knowledge of Data Protection Laws – A DPO must have a strong grasp of the Personal Data Protection Act 2010 and other relevant data protection regulations.
ii. Understanding of the Organization’s Business Operation – A DPO should be familiar with how the organization processes personal data within its business operations.
iii. Technical and Data Security Awareness – A DPO should possess sound knowledge of IT and data security practices to ensure compliance.
iv. Ethical and Corporate Governance Awareness – A DPO should demonstrate integrity, corporate governance awareness, and high professional ethics.
v. Ability to Cultivate a Data Protection Culture – A DPO should be capable of promoting strong data protection awareness within the organization.
3. What are the Roles and Responsibilities of a DPO?
The role of a DPO extends beyond a mere designation and involves a broad scope of responsibilities, including but not limited to:
i. Advisory Role – Providing guidance on compliance with the Personal Data Protection Act 2010 and related regulations.
ii. Compliance Audits and Gap Analysis – Performing gap analysis and audits on the organization’s data protection policies, frameworks, and procedures.
iii. Gap Analysis Report and Recommendations – Issuing gap analysis report and recommendations by advising on remediation plans for compliance gaps.
iv. Data Protection Frameworks Development – Drafting, reviewing and revising the organization’s data protection policies, guidelines, notices, and handbooks.
v. Compliance Training: Conducting compliance training for employees, stakeholders, and directors to enhance understanding of data protection requirements.
vi. Handling Data Breaches – Acting as the main point of contact with the PDP Commissioner during a data breach, ensuring proper notification and incident management within the prescribed timelines.
vii. Interfacing with Data Subjects – Serving as the point of contact for data subjects regarding their rights and personal data inquiries, including during a personal data breach to notify affected individuals as required by law within the prescribed timelines.
4. Can a DPO Be Appointed Internally or Outsourced?
Organizations have the flexibility to appoint a DPO either internally or outsource the role to an external service provider. If an organization opts for an outsourced DPO, it is recommended that the appointment be for a minimum term of 2 years to ensure stability and continuity.
5. Should the DPO Be Appointed Internally or Outsourced?
The decision to appoint a DPO internally or to outsource the role depends on cost considerations and the expertise available within the organization. Many organizations do not have a dedicated in-house legal team, and even when they do, privacy law is a niche area that may not be within their expertise, therefore, for companies that lack the budget to hire a dedicated DPO, outsourcing can be a cost-effective solution.
It is important to understand that the role of a DPO is more than just a title, as it comes with real responsibilities, such as conducting gap analysis to advise the organization on compliance risks, developing frameworks by reviewing and revising personal data policies and guidelines, and providing compliance training. Additionally, in the event of a data breach, the DPO must be familiar with the response process, including handling data breaches, incident response, and incident management, particularly when dealing with the PDP Commissioner and data subjects. Therefore, given the importance of these tasks, whether appointing a DPO internally or outsourcing the role, or even deciding which service provider to outsource to, it is crucial to ensure that the appointed person or organization has actual experience in privacy law, particularly in handling data breaches. If an organisation does not have the requisite capacity and expertise internally, outsourcing would be the easiest and fastest way to compliance; on the other hand, if an organisation has internal resources to undertake the role of a DPO, appointing the DPO internally and then engage an external service provider or legal counsel to support the DPO can be an effective way for risk management.
6. Can the Role of a DPO Be Outsourced to a Foreign Organization?
In Malaysia, the DPO should meet local residency requirements, meaning that the DPO should be a resident in Malaysia (i.e., physically present in Malaysia for at least 180 days in a calendar year) or be easily contactable by any means and be proficient in both Bahasa Melayu and English.
7. Is There a Notification Requirement for Appointing a DPO?
Yes. Once a DPO has been appointed, the organization must register the DPO with the PDP Commissioner and submit their business contact information within 21 days from the date of appointment.
8. Is There a Need to Publish the Contact Details of the DPO?
Yes, after appointing a DPO, organizations are required to publish the business contact information of the DPO through various channels, including the official website and other official media of the organization, personal data protection notices, and security policies and guidelines.
Additionally, organizations must create a dedicated official business email account for the DPO, which shall be distinct and separate from the personal and official business work email address of the individual appointed as the DPO.
9. Can the Organization Simply Appoint the DPO Without Further Action?
The role and responsibilities of a DPO can only be carried out effectively with adequate resources and support from the organization, regardless of whether the DPO is appointed internally or outsourced. Therefore, the organization must ensure that the DPO is provided with sufficient resources, including financial support, infrastructure, and manpower, to perform their role effectively. The level of resources should be aligned with factors such as the complexity of data processing operations, the sensitivity of the personal data being processed, and the size and structure of the organization.
10. What Should Organizations Do If They Are Unsure Whether to Appoint a DPO or How to Find Qualified DPO Outsourcing Services?
If an organization is uncertain about whether it needs to appoint a DPO or is unsure where to start, it is advisable to consult a legal professional with data privacy and cyber security experience to assess whether the organization is required to appoint a DPO. If the answer is yes, the organization must then decide whether the DPO role can be filled internally or, due to expertise and cost considerations, whether outsourcing to an organization such as ours would be more suitable.
If your organization would like to learn more about DPO outsourcing services or assess whether your organization requires a DPO, you may reach out to us for a consultation.
◦
If your organization needs help with further insights and legal guidance on Personal Data Protection (Amendment) Act 2024 or Data Protection Officer outsourcing services, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my
◦
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
More of our Tech articles that you should read:
