The Malaysian Personal Data Protection Commissioner (Commissioner) has recently issued Public Consultation Paper No. 1/2018 (PCP) which aims to collect feedback on the Commissioner's proposal to implement data breach notification obligations for data users.
As part of the data breach notification, the PCP proposes the following:
- data users must notify the Commissioner and any other regulatory bodies or law enforcement agencies within 72 hours of becoming aware of a data breach incident;
- data users must provide a summary of the data breach incident and its circumstances, the type and amount of personal data involved and the approximated number of affected data subjects;
- data users must provide information on any containment or control measures that are taken or will be taken to contain the incident and the potential harm, especially towards the affected data subjects;
- data users must provide information on the method in which the data user notifies the affected data subjects and the advice given to such affected data subjects; and
- data users must provide regular training to staff, which shall be no less than once every twenty-four (24) months, and detailed guidance on the processing of personal data.
The data breach notification requirement is expected to be implemented by way of imposing conditions to the certificate of registration issued by the Commissioner to the data users. In other words, the Commissioner proposes that only the classes of data users in the 13 industries which are required to be registered with the Commissioner should be subject to data breach notification requirements.
The PCP may be accessed here. Data users may provide their feedback in Appendix C of the PCP and send the completed PCP via email by 21 August 2018. The PCP anticipates that the data breach notification obligation will be imposed by the end of 2018.