For those who have been paying close attention to the development regarding Malaysia’s Personal Data Protection Act 2010 (“PDPA”), 1 June 2025 should be of particular significance to you – the day on which the Personal Data Protection (Amendment) Act 2024 (“Amendment Act”) will be fully implemented.
If you have been following closely on our legal updates and compliance alerts, you would no doubt be aware that the Amendment Act is being implemented in 3 stages (1 January 2025, 1 April 2025, and lastly on 1 June 2025), with each stage carrying different impact and weight to companies and businesses subjected to the PDPA. Stage 3 of the implementation is arguably the most significant out of the changes brought about by the Amendment Act – it is when the requirements on (i) the appointment of Data Protection Officer (“DPO”); (ii) mandatory data breach notification (“DBN”); and (iii) data subjects’ right to data portability, come into effect.
As 1 June 2025 is fast approaching, we have prepared this article to conduct a final roundup on what companies and businesses should do to ensure compliance specifically in relation to stage 3 of the implementation of the Amendment Act. In case you have missed our earlier articles, stage 3 of the implementation of the Amendment Act seeks to bring into effect the requirements on DPO, DBN, and data subjects’ rights to data portability, and this article will particularly focus on these 3 requirements and their impacts to data controllers and data processors.
1. Appointment of Data Protection Officer
Upon 1 June 2025, data controllers and data processors will be required to appoint DPO if any one of the following 3 criteria is met:
i) The data controller or data processor processes personal data of more than 20,000 data subjects;
ii) The data controller or data processor processes sensitive personal data, including financial information, for more than 10,000 data subjects; or
iii) The data controller or data processor engages in data processing activities that require regular and systematic monitoring of personal data.
While items (i) and (ii) are self-explanatory, most of our clients are quite confused about the type of data processing activity that would fall under item (iii). To put it differently, for a data processing activity to be captured under item (iii), it would require a data controller or data processor to watch or track data subject’s personal data, in an organised way, and on an ongoing basis. The most common examples would be social media companies monitoring the in-app behaviours of users for profiling purposes, or deployment of location tracking technologies on company issued devices to monitor employees’ whereabouts.
If a data controller or data processor fulfils any of the 3 criteria set out above, it will be required to appoint DPO by 1 June 2025.
Data controllers and data processors are however afforded the flexibility to internally appoint a DPO (either by nominating an existing employee, or by hiring a new headcount for this role), or to outsource the role to a service provider. In assessing which of the 2 methods works best for an organisation, data controllers and data processors should be aware of the following minimum skills or expertise that DPOs must possess:
(a) Knowledge on data protection laws;
(b) Understanding of the organisation’s business operation;
(c) Technical and data security awareness;
(d) Ethical and corporate governance awareness; and
(e) Ability to cultivate a data protection culture.
If a data controller or data processor is able to identify an individual with all 5 of the above skillsets and expertise within its organisation (or where such identified individual is available for hiring), and on the assumption that budget is not a constraint, then perhaps internally appointing a DPO may be the best foot forward. Otherwise, outsourcing the DPO role to a service provider may be the preferred approach.
While the requirement to appoint DPO would come into effect on 1 June 2025, data controllers and data processors are given a 21 days’ buffer to register their appointed DPOs with the Personal Data Protection Commissioner (“PDPC”). Hence, for those who have yet to appoint a DPO, it is not too late to kickstart the process now.
2. Requirement for Personal Data Breach Notification
The other key amendment that will come into effect on 1 June 2025 is the requirement for data controllers to carry out DBN in the event of a personal data breach that causes or is likely to cause significant harm. At the risk of oversimplification, personal data breach can be understood as an incident pursuant to which personal data are accessible by unintended party(ies) or where personal data are misused. It can be caused by external forces, as well as negligent or deliberate acts of a data controller’s personnel.
After 1 June 2025, a data controller that suffers or has reason to believe that it has suffered a personal data breach will have the added responsibility of notifying the incident to the PDPC (and possibly affected data subjects as well) if it is assessed that the personal data breach will result in or likely to result in significant harm to the data subjects. In the event of a personal data breach that triggers the DBN requirement, data controllers are expected to notify the PDPC no later than 72 hours after receiving knowledge of the personal data breach, and to notify the affected data subjects within 7 days after the data controllers first notified the PDPC.
The PDPC has prescribed the steps, manner and form of notification to be undertaken by a data controller to the PDPC and affected data subjects in the event of a personal data breach. Essentially, data controllers will have to disclose to the PDPC and/or the affected data subjects, among other things, information on the cause of the personal data breach, potential consequences flowing from the breach, and measures taken or proposed to be taken to address the personal data breach and to address the affected data subjects.
Given the tight notification timeline prescribed by the PDPC, it is almost guaranteed that a data controller will be racing against time when managing a personal data breach. To assist data controllers to better manage a personal data breach and to mitigate the risk of negative publicity, data controllers should consider establishing a personal data breach management protocol to guide employees and stakeholders through a personal data breach. Having a personal data breach management protocol can also facilitate the data controllers’ effort to comply with the new DBN requirements that will soon come into effect on 1 June 2025.
3. Data Subjects’ Right to Data Portability
Last but not least, data subjects will soon (after 1 June 2025) be equipped with the right to request for the porting of their personal data from 1 data controller to the other. Network service providers in Malaysia are certainly no stranger to this data portability requirement, considering that the Malaysia Communications and Multimedia Commission has long since imposed this requirement on the telcos.
Data portability in the context of the PDPA essentially refers to the data subject’s ability to obtain and reuse their personal data across different data controllers. One key benefit of data portability to data subjects is that it allows seamless movement of personal data from one service provider to another service provider. To take an example, in light of the requirements of data portability, hospitals are now required to ensure that they keep patients’ information in formats that are readable by other hospitals, so that these information can be transmitted to other hospitals upon request.
At the time of writing, the PDPA is silent on the timeline in which data controllers must complete the transmission of personal data to another data controller when requested by data subjects, this will only be prescribed by the PDPC in the future. If we are to take cues from the European General Data Protection Regulation, data controllers may be given up to one month to complete the transmission of personal data.
In light of the 1 June 2025 implementation timeline of the data subjects’ right to data portability, data controllers should conduct a technical assessment on whether it has the necessary technical capability to carry out the transmission of personal data when requested by data subjects.
The final implementation stage of the Amendment Act coming into force on 1 June 2025, which is just a few days away from the time of writing this article, marks a significant shift in the regulatory and compliance landscape of personal data protection law in Malaysia, particularly on the data processing activities of data controllers and data processors. While we are still a few days away from the implementation milestone, data controllers and data processors should do a final assessment to ensure that systems, policies and practices are fully aligned with the new requirements. This final window offers both a challenge and an opportunity – to not only comply, but to lead with clarity, accountability and preparedness in this new chapter.
If your organization needs help with further insights and legal guidance on Personal Data Protection (Amendment) Act 2024 or Data Protection Officer outsourcing services, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.
About the authors
Lo Khai Yi Partner Co-Head of Technology Practice Group Technology, Media & Telecommunications (“TMT”), Technology Acquisition and Outsourcing, Telecommunication Licensing and Acquisition, Cybersecurity [email protected].
◦
Ong Johnson Partner Head of Technology Practice Group Technology, Media & Telecommunications (“TMT”), Fintech, TMT Disputes, TMT Competition, Regulatory and Compliance [email protected]
Full Implementation of The Personal Data Protection (Amendment) Act 2024 – Final Roundup
For those who have been paying close attention to the development regarding Malaysia’s Personal Data Protection Act 2010 (“PDPA”), 1 June 2025 should be of particular significance to you – the day on which the Personal Data Protection (Amendment) Act 2024 (“Amendment Act”) will be fully implemented.
If you have been following closely on our legal updates and compliance alerts, you would no doubt be aware that the Amendment Act is being implemented in 3 stages (1 January 2025, 1 April 2025, and lastly on 1 June 2025), with each stage carrying different impact and weight to companies and businesses subjected to the PDPA. Stage 3 of the implementation is arguably the most significant out of the changes brought about by the Amendment Act – it is when the requirements on (i) the appointment of Data Protection Officer (“DPO”); (ii) mandatory data breach notification (“DBN”); and (iii) data subjects’ right to data portability, come into effect.
As 1 June 2025 is fast approaching, we have prepared this article to conduct a final roundup on what companies and businesses should do to ensure compliance specifically in relation to stage 3 of the implementation of the Amendment Act. In case you have missed our earlier articles, stage 3 of the implementation of the Amendment Act seeks to bring into effect the requirements on DPO, DBN, and data subjects’ rights to data portability, and this article will particularly focus on these 3 requirements and their impacts to data controllers and data processors.
1. Appointment of Data Protection Officer
Upon 1 June 2025, data controllers and data processors will be required to appoint DPO if any one of the following 3 criteria is met:
While items (i) and (ii) are self-explanatory, most of our clients are quite confused about the type of data processing activity that would fall under item (iii). To put it differently, for a data processing activity to be captured under item (iii), it would require a data controller or data processor to watch or track data subject’s personal data, in an organised way, and on an ongoing basis. The most common examples would be social media companies monitoring the in-app behaviours of users for profiling purposes, or deployment of location tracking technologies on company issued devices to monitor employees’ whereabouts.
If a data controller or data processor fulfils any of the 3 criteria set out above, it will be required to appoint DPO by 1 June 2025.
Data controllers and data processors are however afforded the flexibility to internally appoint a DPO (either by nominating an existing employee, or by hiring a new headcount for this role), or to outsource the role to a service provider. In assessing which of the 2 methods works best for an organisation, data controllers and data processors should be aware of the following minimum skills or expertise that DPOs must possess:
If a data controller or data processor is able to identify an individual with all 5 of the above skillsets and expertise within its organisation (or where such identified individual is available for hiring), and on the assumption that budget is not a constraint, then perhaps internally appointing a DPO may be the best foot forward. Otherwise, outsourcing the DPO role to a service provider may be the preferred approach.
While the requirement to appoint DPO would come into effect on 1 June 2025, data controllers and data processors are given a 21 days’ buffer to register their appointed DPOs with the Personal Data Protection Commissioner (“PDPC”). Hence, for those who have yet to appoint a DPO, it is not too late to kickstart the process now.
2. Requirement for Personal Data Breach Notification
The other key amendment that will come into effect on 1 June 2025 is the requirement for data controllers to carry out DBN in the event of a personal data breach that causes or is likely to cause significant harm. At the risk of oversimplification, personal data breach can be understood as an incident pursuant to which personal data are accessible by unintended party(ies) or where personal data are misused. It can be caused by external forces, as well as negligent or deliberate acts of a data controller’s personnel.
After 1 June 2025, a data controller that suffers or has reason to believe that it has suffered a personal data breach will have the added responsibility of notifying the incident to the PDPC (and possibly affected data subjects as well) if it is assessed that the personal data breach will result in or likely to result in significant harm to the data subjects. In the event of a personal data breach that triggers the DBN requirement, data controllers are expected to notify the PDPC no later than 72 hours after receiving knowledge of the personal data breach, and to notify the affected data subjects within 7 days after the data controllers first notified the PDPC.
The PDPC has prescribed the steps, manner and form of notification to be undertaken by a data controller to the PDPC and affected data subjects in the event of a personal data breach. Essentially, data controllers will have to disclose to the PDPC and/or the affected data subjects, among other things, information on the cause of the personal data breach, potential consequences flowing from the breach, and measures taken or proposed to be taken to address the personal data breach and to address the affected data subjects.
Given the tight notification timeline prescribed by the PDPC, it is almost guaranteed that a data controller will be racing against time when managing a personal data breach. To assist data controllers to better manage a personal data breach and to mitigate the risk of negative publicity, data controllers should consider establishing a personal data breach management protocol to guide employees and stakeholders through a personal data breach. Having a personal data breach management protocol can also facilitate the data controllers’ effort to comply with the new DBN requirements that will soon come into effect on 1 June 2025.
3. Data Subjects’ Right to Data Portability
Last but not least, data subjects will soon (after 1 June 2025) be equipped with the right to request for the porting of their personal data from 1 data controller to the other. Network service providers in Malaysia are certainly no stranger to this data portability requirement, considering that the Malaysia Communications and Multimedia Commission has long since imposed this requirement on the telcos.
Data portability in the context of the PDPA essentially refers to the data subject’s ability to obtain and reuse their personal data across different data controllers. One key benefit of data portability to data subjects is that it allows seamless movement of personal data from one service provider to another service provider. To take an example, in light of the requirements of data portability, hospitals are now required to ensure that they keep patients’ information in formats that are readable by other hospitals, so that these information can be transmitted to other hospitals upon request.
At the time of writing, the PDPA is silent on the timeline in which data controllers must complete the transmission of personal data to another data controller when requested by data subjects, this will only be prescribed by the PDPC in the future. If we are to take cues from the European General Data Protection Regulation, data controllers may be given up to one month to complete the transmission of personal data.
In light of the 1 June 2025 implementation timeline of the data subjects’ right to data portability, data controllers should conduct a technical assessment on whether it has the necessary technical capability to carry out the transmission of personal data when requested by data subjects.
The final implementation stage of the Amendment Act coming into force on 1 June 2025, which is just a few days away from the time of writing this article, marks a significant shift in the regulatory and compliance landscape of personal data protection law in Malaysia, particularly on the data processing activities of data controllers and data processors. While we are still a few days away from the implementation milestone, data controllers and data processors should do a final assessment to ensure that systems, policies and practices are fully aligned with the new requirements. This final window offers both a challenge and an opportunity – to not only comply, but to lead with clarity, accountability and preparedness in this new chapter.
If your organization needs help with further insights and legal guidance on Personal Data Protection (Amendment) Act 2024 or Data Protection Officer outsourcing services, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
[email protected].
◦
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
[email protected]
More of our Tech articles that you should read: