
Since the publication of the Personal Data Protection (Amendment) Bill 2024 (the “Bill”), we have received several enquiries concerning the role of a data protection officer (“DPO”) as mandated under the Bill. Many companies are now assessing the need to appoint a DPO within their organisations in anticipation of it being a requirement for them to do so once the Bill is passed and comes into force. Some chief compliance officers or chief risk officers are also concerned that they may be designated as the DPO of their respective companies, and are now looking to better understand the responsibilities of a DPO so that they can better prepare for the eventualities.
DPO is not a new role created uniquely by the Bill. The EU’s General Data Protection Regulation (“GDPR”) has long since established the role of a DPO in an organisation. This article seeks to unravel the role of a DPO and provides some high-level guidance on the tasks and responsibilities of a DPO by drawing reference from the EU’s GDPR.
The responsibility of a DPO is first and foremost to ensure that the organisation complies with its statutory obligations under the Personal Data Protection Act 2010 (“PDPA”), be it as a data user (to be known as data controller once the Bill is passed) or a data processor. There are a few key aspects to the role of a DPO in order to discharge the responsibility fully:
- 1. Providing Training to the Organisation
- Education is always the first step to compliance. For an organisation to adhere to the requirements of the PDPA, it will first have to understand comprehensively what are the relevant obligations that are applicable to it. DPO is typically expected to have in-depth knowledge on personal data processing law and is thus the default internal consultant to advise key stakeholders on matters concerning personal data.
- .
- 2. Formulation of Data Processing Policies
- For companies that handle a vast amount of personal data, it is important to have in place data processing policies to ensure that best practices are observed and to minimise abuse of personal data by employees. A DPO is expected to formulate and craft the data processing policies of the organisation that he or she is attached to, and to spearhead the implementation of such policies. In order to perform this task properly, DPO should be familiar with the data processing needs of its organisation so that the policies created could cater for all such needs.
- .
- 3. Main Liaison with Data Subjects
- The existing PDPA provides for certain rights of data subjects such as right to access personal data, right to request for correction of personal data or right to limit the processing of personal data. One of the key tasks of a DPO is also to act as the liaison between the organisation and the data subjects. The contact details of a DPO are normally included in the privacy policy or personal data protection notice of a data user or controller. In assisting the organisation to discharge its statutory obligations under the relevant data protection law, a DPO is expected to handle the requests put forth by data subjects and ensure that they are complied with or responded to appropriately by the organisation.
- .
- 4. Liaison with Authorities
- Apart from acting as the liaison with data subjects, DPO also often doubles up as the liaison with authorities, particularly those that oversee or administer the data protection laws. In jurisdictions where data breach notification is mandated (Malaysia will be one if the Bill is passed), DPO is also expected to communicate with the authorities in the event of a data breach and to assist the organisation to contain the effect of such breach.
- ,
More often than not, the role of a DPO is undertaken by the Chief Compliance Officer, Chief Risk Officer, Chief Legal Officer or the general counsel of an organisation. A DPO is rarely a dedicated role in an organisation unless the principal business of the organisation is to process personal data. As such, the person appointed as the DPO will normally be wearing more than one hat within the organisation. To ensure compliance with the applicable data protection law, DPO can consider working with external legal counsels, especially when it comes to the provision of training to internal stakeholders and the formulation of data protection policies. Given that a DPO would have an absolute understanding of the organisation’s data processing needs, he or she will be in the best position to advise such needs to external legal counsels, while the external legal counsels can then craft appropriate data processing policies on behalf of the organisation.
As the world pays more attention to individuals’ rights to the processing of their personal data, the role of a DPO is becoming ever more crucial in assisting data controllers and data processors to manoeuvre the intricacies of data protection law. The job of a DPO should not be taken lightly, given that failure to discharge its duties may result in financial penalties to the companies under applicable data protection law, and potentially also attract personal liability to the DPO.
Should you have any questions concerning the obligations of a DPO under the Bill, or if you would like to find out more about the slated changes to the PDPA to be brought forth by the Bill, please do not hesitate to contact our professionals from the Technology & Corporate Practice Group who frequently advise on matters relating to compliance with the PDPA.
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications, Intellectual
Property, Corporate/M&A, Projects and Infrastructure,
Privacy and Cybersecurity
ky.lo@hhq.com.my.
.
Ong Johnson
Partner
Head of Technology Practice Group
Transactions and Dispute Resolution, Technology,
Media & Telecommunications, Intellectual Property,
Fintech, Privacy and Cybersecurity
johnson.ong@hhq.com.my
More of our Tech articles that you should read: