Data protection in Malaysia is poised for significant changes – that’s if the Ministry of Communications and Digital succeeds in tabling the amendments to the Personal Data Protection Act 2010 (PDPA) in Parliament this year, which may see the amendments to the Act carried out by March 2024 at the latest.[1] Initiated in February 2020 with the issuance of a public consultation paper, efforts are underway to align the PDPA with global data protection laws. Although the proposed changes are yet to be made known, the amendments are expected to address the burning issues of security of personal data in the country.

Over the recent years, the government has amplified its efforts to bolster the nation’s data security landscape. December 2022 saw the issuance of the General Code of Practice mandatorily applicable to classes of data users that are not subject to any other codes of practice registered under the PDPA[2]. Shortly thereafter, Malaysia signed a MoU with Singapore to cooperate in the field of personal data protection, cyber security, and digital economy[3]. There are also plans in motion to establish a Cyber Security Commission and elevate the country’s privacy regulator – Department of Personal Data Protection (JPDP) – to a statutory body with the resources to combat the issue of personal data leaks.[4] Indeed, a holistic review of the data protection and cyber security regulatory frameworks is now long overdue.

These concerted efforts from the government are seen to be driven by the urgency to address the ramifications of a series of major data breaches that took place in 2022 – involving both high-profile companies and government agencies. Notably, one of the leading payment gateway providers in the country confirmed experiencing a data breach, prompting the initiation of a forensic investigation into the incident.[5] And we have not forgotten the many reported incidents that occurred in the years past.

These incidents have prompted the government to review the PDPA and data protection in its entirety. Penalties and fines that are deemed unfit for the present times are also expected to be in the scope of review. It is interesting to note that the maximum fine provided for in the PDPA is only RM0.5 million. This stands in stark contrast to the substantial fines that can reach tens of millions of Euros under regulations such as the European Union’s General Data Protection Regulation.

What should the intended outcome be?

It is hoped that the impending proposed changes to the PDPA will finally be tabled and passed to serve a manifold purpose of enhancing personal data protection and enforcing accountability among organizations that handle personal data. The changes should also aim to adapt to the evolving digital landscape, ensuring that data protection measures keep pace with the rapid growth of technology, the increasing reliance on digital platforms as well as the ever-increasing borderless world of trade that characterizes the present times. It is further hoped that the amendments will consider the aspects of data sovereignty and portability as Malaysia aspires to become a regional hub for data processing, that is, to process data sets generated abroad on a large scale.

Given this context, it is imperative for businesses to proactively strengthen their data security measures. Should the PDPA amendments come to pass, we could expect that non-compliance will lead to heftier fines and penalties which serve as a stronger deterrent and to hold companies responsible.

The consequences of a lapse in security and breach of data also go beyond financial penalties leading potentially to a loss of trust from your customers, investors and stakeholders. This can have far-reaching implications on a business's bottom line – ultimately affecting its reputation and continuity.

Further, expectations to protect data are now a new norm in businesses as customers are more inclined to choose businesses that demonstrate a strong commitment to protecting their personal information.

Underestimated risks

To manage new and emerging complexities in data and privacy, companies need to cover broader aspects beyond just cyber security to include data mapping and flow, information lifecycle management, developing effective internal policies and consent notices, third-party management, training and awareness of personnel, and incident management.

This will entail developing privacy and information security framework that will apply to your organization’s business operations covering internal processes and procedures, with continuous monitoring and updates in mind. In these aspects, it is our observation that most organizations tend to underestimate the effort that goes into this process. At present, these components are commonly addressed in silo, which ultimately compromises data security and increases the risk of data and privacy breaches. Business organizations may also lack awareness of their current state of compliance with the prevailing privacy regulations.

A holistic approach is required in data and privacy management, which can be achieved by leveraging technology. For example, KPMG’s Data Protection Navigator brings together key aspects of data privacy considerations into one platform where companies can evaluate their organization’s privacy compliance and access automated maturity assessments anytime it’s needed. With access to real-time insights, high-risk exposure areas can be identified promptly, and proactive decisions can be made to ensure continuous privacy compliance.

Business leaders should ensure they have ready answers to these questions in order to operationalize data protection and privacy risk governance within their organization:

•      Is there a board-recognized governance structure to oversee privacy compliance?

•      Are your internal policies and procedures designed with data privacy and protection in mind?

•      Do your policies require risk assessments to be carried out in the business functions, processes and applications?

•      Are your internal processes comprehensive to include third-party risk management?

•      Have you implemented a comprehensive training and development program to ensure your people are regularly trained and updated on data privacy and protection?

•      Do you have adequate cyber security measures in place to protect the data you’re collecting?

•      Do you have a business continuity plan ready should your organization experience a data breach incident?

Ultimately, steps to address privacy risks within your organization should not begin only after a data breach occurs, a fine is incurred, or post-actions taken by the regulator. Prevention is better than the cure and, within this context, the damage caused by data and privacy breaches may be irreparable for the vulnerabilities it exposes to your organization.

This article was first published in The Star on 23 June 2023.