This article is relevant to all organisations in Malaysia that collect, store, and process personal data (“Data Controller”) under the Personal Data Protection Act 2010 and its amendments (“Act”). This Guideline sets out the procedure for a Data Controller to notify the Commissioner and affected data subjects of a personal data breach.
This mandatory personal data breach notification does not directly apply to data processor. As such, Data Controller is required to contractually impose an obligation on its data processor to promptly notify itself about a personal data breach that has occurred and to provide all reasonable and necessary assistance to the Data Controller to meet its obligation herein.
What constitutes a “personal data breach”?
A personal data breach refers to any event/incident that leads or is likely to lead to the breach, loss, misuse or unauthorised access of personal data.
It may be caused by accidental or deliberate actions, internally or externally.
When is notification to the Commissioner required?
A Data Controller is required to notify the Commissioner only if the personal data breach causes or is likely to cause “significant harm.”
What is “Significant Harm”?
A breach may be considered significant if the compromised personal data:
- May result in physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
- May be misused for illegal purposes;
- Consists of sensitive personal data;
- Consists of personal data and other information which, when combined, could enable identity fraud; or
- is of significant scale (i.e. the number of affected data subjects exceeds 1,000).
Timeframe for Notification to the Commissioner
Once the Data Controller is informed by an individual, a media organisation or any other sources or detects a security incident, it shall conduct a preliminary investigation to determine whether a personal data breach has occurred. Notification must then be made as soon as practicable and no later than 72 hours from the occurrence of the breach.
How to Notify the Commissioner
Notification may be made through:
- Completing the notification form on www.pdp.gov.my;
- Completing Annex B under this Guideline and submitting it to dbnpdp@pdp.gov.my; or
- Submitting a hard copy of Annex B to the Commissioner.
Delayed Data Breach Notification
If the data controller fails to notify within 72 hours, a written notice must be submitted to the Commissioner explaining the delay and providing supporting evidence (including, incident timeline, internal communications, technical issues, or external factors).
Contact Point & Assistance with Investigations
If the data controller is required to appoint a Data Protection Officer (“DPO”), the DPO shall act as the main point of contact for the Commissioner.
If not required to appoint a DPO, the data controller must designate a representative with sufficient seniority and expertise.
A data controller who fails to notify the Commissioner commits an offence and is liable to a fine up to RM250,000, imprisonment up to 2 years, or both.
Requirement to Notify Affected Data Subjects
Data Controller shall also notify data subjects if the breach results in or is likely to result in significant harm to the affected data subjects.
Timeframe
Notification to affected data subjects shall be made without unnecessary delay, and not later than 7 days after the initial notification to the Commissioner.
Manner of Notification
Notification must be direct and individual, in clear and intelligible language, enabling the data subject to take necessary precautions.
If direct notification is not practicable or requires disproportionate effort, alternative methods such as public communication may be used.
Examples of disproportionate effort include:
- Needing to contact large numbers of data subjects across multiple states or countries; or
- Data subjects having outdated or incorrect contact information requiring extensive resources to update.
Information to Be Provided to Data Subjects
Notifications must include:
- Details of the breach;
- Potential consequences;
- Measures taken or proposed by the data controller;
- Measures to mitigate adverse effects;
- Recommended steps for affected data subjects;
- Contract details of the DPO or designated contract point.
The Data Controller must also keep records and maintain a register of all breaches for at least 2 years, including those not meeting the notification criteria.
Key Takeaway
Organisations must place adequate data breach management and response plans.
The focus should be on ensuring that the Data Controller is able to promptly identify a personal data breach, take appropriate measures to contain and mitigate the breach, and ensure compliance with data breach notification obligations.
***
This article was written by Jocelyn Lier (Associate) from Donovan & Ho’s corporate practice.
Our corporate practice group advises on corporate acquisitions, restructuring exercises, joint venture arrangements, shareholder agreements, employee share options and franchise businesses, Malaysia start-up founders and can assist with venture capital funds in Seed, Series A & B funding rounds. Feel free to contact us if you have any queries.
