Malaysia’s critical data privacy law is The Personal Data Protection Act of 2010 (PDPA). The PDPA and its implementing regulations establish the Personal Data Protection Department (PDPD) under the Ministry of Communications and Multimedia (MCMC) and outline protections for personal data. 

Kuala Lumpur—the capital city of Malaysia—-is a significant economic hub being revolutionized by data-driven activities. As the PDPD continues to implement the regulations and propose amendments to the PDPA, organizations in Malaysia must strive to remain compliant with protections.

Here are the highlights:

Extraterritorial scope

The PDPA applies to all personal data processed within Malaysia. Organizations established outside Malaysia are still subject to restrictions if they use equipment in Malaysia for processing data.

Sensitive data

Any personal data related to the physical or mental health condition of a data subject, their political opinions, their religious beliefs or other beliefs of a similar nature, their alleged criminal history, or any other forms of personal data recognized by the Ministry are considered sensitive data.

Consent framework

Organizations cannot process personal data unless the data subject has provided their consent or a typical legal exception applies. Data subjects must explicitly consent for organizations to process sensitive data. There are only restricted exceptions to this condition.

Data subject rights

The PDPA grants data subjects the right to access their personal data and related information, correct any erroneous personal data, prevent the processing of data that is likely to cause damage to them or for direct marketing, and withdraw their consent.

Personal data lifecycle

Once the purpose for processing is fulfilled, organizations must ensure that the data is destroyed or permanently deleted. Data controllers are not responsible for backing up any data, but they must maintain a record of any activities related to the personal data.

Data security

The PDPD heavily regulates that data should be protected and secure, especially when stored and transferred. Encryption is not cited as standard practice. Specific industries, however, must abide by Codes of Conduct published by the Ministry.

Data user registration

Data users not established in Malaysia but use equipment in Malaysia to process data for purposes other than transit must nominate a representative to coordinate with the authorities. Furthermore, specific categories of data users (based on industry and sector) must apply and register with the PDPD.

Breach notification protocol

The PDPA does not outline a specific breach notification protocol. However, the PDPD has issued PCP No.1/2018 and PCP No.1/2020 to introduce and collect feedback for a provision for data users to report breaches to all affected parties and the relevant authorities using a designated reporting mechanism. Highly-regulated sectors are already subject to notification requirements to related institutions.

Data localization & international data transfer

The PDPA generally prohibits international data transfer unless it is a special circumstance. Furthermore, personal data can only be transferred to jurisdictions specified by the Ministry as having adequate protections if a permissible legal basis for processing applies. The Ministry only approves transfers to non-adequate jurisdictions in certain limited cases. The Ministry has not published an official list of countries, but, in PCP No.1/2017, they recognized the following regions as adequate: the EEA, UK, Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Australia, China, Hong Kong, Japan, the Philippines, Singapore, South Korea, and Taiwan as a draft list of approved countries. The USA and Dubai International Finance Center have been proposed as adequate too.

Implications

Prohibitions on international data present a challenge for global organizations. Luckily, most cloud computing platforms have established zones within Malaysia. Organizations should modify the data flow to ensure that personal data is processed and stored at data centers in Malaysia. Organizations should then separate and classify all sensitive data to assure compliance with the additional restrictions. Based on the nature of the data, organizations should establish fitting policies to regularly destroy data that has been processed and implement appropriate safeguards for security. Encryption is a valuable means of meeting this requirement when data, especially sensitive data, is stored and transferred. Organizations ideally should flow out the types of data being processed and its flow throughout the organizations to meet these demands.