Amendments to Malaysia’s Personal Data Protection Act 2010 (PDPA)

The State of Privacy in SEA

The tide is turning for privacy in SEA, with over half of the countries in the region now having standalone data privacy and protection related regulations. This marks a significant shift in the data privacy and protection landscape, and as digital economies continue to expand, the demand for such robust regulations is expected to intensify, potentially prompting the remaining nations to adopt similar regimes. These developments underscore a deepening regional commitment to data privacy and protection, although the implementation and enforcement of these laws may vary.

Strengthening data protection in Malaysia

Malaysia, the first country in SEA to regulate the processing of personal data in commercial transactions, is now revising its primary data privacy and protection legislation – the Personal Data Protection Act 2010. More than a decade since its inception, robust data privacy and protection safeguards has never been more crucial in Malaysia. The increasing reliance on digital platforms and innovative technologies amplifies expectations for a series of safeguards against the rising tide of personal data misuse. A concerted effort to embrace data privacy and protection is essential to protect against emerging threats and restore trust in the digital economy, ensuring individuals have control over their personal data in an interconnected world.

Overview of key amendments

On 31 July 2024, the Senate (Dewan Negara), the upper house of the Malaysian Parliament, passed the Personal Data Protection (Amendment) Bill 2024. These amendments are significant, introducing greater accountability for organisations handling personal data. In summary, the amendments can be outlined in nine distinct categories:

1. Mandatory appointment of a Data Protection Officer (DPO)
2. Data breach notification to the Commissioner and data subjects
3. Rights to data portability
4. Inclusion of biometric data as sensitive data
5. Data transfer to countries with equivalent level of protection
6. Direct responsibilities on data processors
7. Exclusion of deceased individual as data subject
8. Change of terminology from "data user" to "data controller"
9. Increase of penalties for breach of personal data protection principles

Important developments on the horizon

Organisations are advised to closely monitor developments in this area and prepare for the additional compliance obligations they may potentially face. The amended PDPA will be further supplemented by upcoming guidelines and PDP standards, covering topics such as data breach notification, data protection officers, data portability, cross-border data transfer, data protection impact assessment, privacy by design, and profiling and automated decision-making.

Are you prepared?

The revised law is expected to have a significant impact on organisations across four key dimensions: People, Process, Policy, and Technology. These changes necessitate a re-evaluation and adaptation of current practices.

At Deloitte, our Digital Privacy and Trust team provides a suite of services that can help your organisation evolve your program to protect the data and business models that truly matter, while keeping up with the latest regulatory changes. We also offer tailored solutions based on your organisation’s characteristics and needs.

We hope this brochure will guide organisations in navigating the data privacy and protection landscape and requirements in Malaysia.