Public Consultation on the Implementation of Data Breach NotificationAugust 2018
Public Consultation on the Implementation of Data Breach Notification
The Personal Data Protection Commissioner (“Commissioner”) has issued the Public Consultation Paper No. 1/2018 – The Implementation of Data Breach Notification (“Consultation Paper”) to seek public feedback on personal data breach management.
Under the Personal Data Protection Act 2010, there is no legal requirement for data users to notify the authority or data subjects if there is any personal data breach. Past personal data breaches in Malaysia involving personal data of mobile phone subscribers and internet protocol television (IPTV) customers have increased public awareness on personal data protection.
The Commissioner proposes to implement data breach notification in line with the personal data laws of some jurisdictions. Notably, the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Union, which has come into force on 25 May 2018 and gained much public attention due to its wide extra-territorial reach, requires data users to notify the relevant supervisory authority and the relevant data subjects of personal data breach.
The proposed implementation of data breach notification is intended to be a mechanism for data users to notify the authority and affected parties where a personal breach has occurred in an organisation. In particular the Consultation Paper proposes for notification to the Commissioner to be made not later than 72 hours after having become aware of the breach. The Commissioner proposes to implement data breach notification by the end of 2018 through imposition of conditions to the certificates of registration issued by the Commissioner to data users.
The deadline for submitting feedback is on 21 August 2018.