data-exchanges-big-data

PDPA: A much needed update

A dispute resolution lawyer and member of the Malaysia Bar Council, Sarah Yong, a talked about the state of local cybersecurity legislation with a focus on the Personal Data Protection Act (PDPA) and what businesses needed to do to comply with the legislation.

To get a gauge on the state of cybersecurity and even personal data protection legislation, one only needs to look towards the series of breaches Malaysia has undergone, and the responsible parties,(many) and the action they have taken since (zilch).

Were the data breach events so inconsequential that not a single affected party, or the regulator for that matter, would say anything about it?

To be fair, since last January when Sarah gave her presentation at the Internet Alliance cybersecurity, the newly elected government has had time to settle into their collective roles, take stock of the real situation, and announced their next steps in terms of cybersecurity – one was the setting up of a scam response centre, and another was the implementation of a killswitch which enabled banking users to immediately freeze their accounts in the event of any suspicious activity. EITN has shared their initial responses about these measures, here.

So, the government HAS taken some action in response to the data breaches, although it is too little and extremely too late.

Sarah also noted that since the JPN breach (and the many others before and after that), there has been next to no news about what was being done to address the almost continuous leak of Malaysians’ personal data.

So, the government HAS taken some action in response to the data breaches, although it is too little and extremely too late.

The scariest thing from the JPN hack, is that Malaysians do not even know if their data has been leaked, because the Government does not inform them.

The challenge?

According to Sarah, “Now in Malaysia, there is no overarching cybersecurity legislation at the moment.”

What we do have however is various different laws, covering various different aspects relating to the Internet, to cybercrime, to online transactions, to service providers, and so on. It is all over the place, in essence.

This situation also makes it extremely difficult to come forward with resounding statements and impactful actions. There are many stakeholders and sensitivities to consider.

However, Sarah shared that the previous government was going to reveal a Cybersecurity Act.

“The scheduled announcement or revelation of it is supposed to be this year 2023. So let’s wait and see when that happens, and we will be able to then look at the contents of the Cybersecurity Act.”

What we do have however is various different laws, covering various different aspects relating to the Internet, to cybercrime, to online transactions, to service providers, and so on. It is all over the place, in essence.

It has been about 3 months since Sarah shared about this Cybersecurity Act, and as she had pointed out that various stakeholders will be engaged to discuss about the bill, I think that is the key thing that needs to happen right now.

The PDPA

The PDPA bill has been around since 2010, and came into force in 2013, according to Sarah. Truth be told, I have come across a few scenarios when PDPA should have been enforced, but was not. From what I understand, the onus was upon the claimants (or persons whose data had been abused) to pursue the matter via the legal route.

Needless to say, I was curious to find out how accurate this is, and the actual scope of PDPA enforcement.

Now Sarah explained the scope of PDPA is personal data, and personal data that is exchanged in a commercial transaction between businesses and consumers. So, the government, and non-commercial transactions are excluded from this act.

“So, there is a wide exclusion of data that is at risk because they are not protected.”

Sarah opined, “There are so many issues that have happened, data breaches that have happened, and I think on the policy level, in terms of accountability, the government needs to be the one to be accountable…then the businesses will follow.”

What to look out for?

Businesses can download a Personal Data Protection standards document, that serves as a list of minimum standards for businesses to adhere to.

Sarah prepared a checklist of things business owners needed to prepare in order to comply with the PDPA, at the risk of paying costly fines.

For starters, businesses need records of consent by the data subjects. She also advised business owners to have a written privacy notice and even a list of disclosures of personal data made to third parties.

She also mentioned a security policy which states the SOPs that will be undertaken in the event of a data breach. A register of employees that have access to personal data is also very important, as is records of your organisation’s compliance with the minimum retention standards, records of any periodic disposal of data, and your organisation’s compliance with minimum data standards.

For starters, businesses need records of consent by the data subjects. She also advised business owners to have a written privacy notice and even a list of disclosures of personal data made to third parties.

What’s next?

An update to the PDPA is coming. The proposed amendments according to Sarah is, a wider scope that now covers data processors. These are not just companies and businesses that use the data, but also the companies that service and process the data, and hence they hold the data (likely on their premises), or even hold the data in cloud storage.

Sarah emphasised, “Soon, data processors would have direct obligations under the Personal Data Protection Act.”

So far, companies are not mandated by law to report when they are hacked or have data that is compromised. This is expected to change soon.

She also shared her belief that mandatory reporting of breaches within 72 hours of the event, would be included to the PDPA.

So far, companies are not mandated by law to report when they are hacked or have data that is compromised. This is expected to change soon.

There also needs to be appointment of a data protection officer within companies.

A blacklist approach is being considered when it comes to data transfer across borders for cloud storage services; if data transfer routes take it through a blacklisted country, companies need to obtain permission from the regulator.

Discussions about a much needed PDPA upgrade has come up as well during SecurityLAH! podcast episodes. View the episodes here.