Public Consultation Paper No. 1/2018 on the Implementation of Data Breach Notification
In light of the recent cases of personal data breach that has occurred in Malaysia, the Department of Personal Data Protection have introduced a public consultation paper on the implementation of Data Breach Notification (“DBN”) which is also generally practised in majority of the countries worldwide.
Objectives of Implementing DBN
Before delving into the purpose of introducing DBN, it is pertinent to note that the Personal Data Protection Act 2010 (“PDPA”) does not provide any provisions on notification of breach of personal data. The implementation of DBN is aimed at plugging such gap in the PDPA and at assisting data users in personal data breach management. The DBN is supposed to provide a mechanism where data users will need to provide notification to the relevant authorities and the affected parties when a breach of personal data occurs.
Elements in DBN The Public Consultation Paper outlines certain elements of the DBN which are as follows:
(a) summary of the breach and circumstances of the breach, which includes, type and amount of personal data involved in the breach;
(b) details of action or measures taken to contain the breach and potential harm of the breach;
notification of the breach must be made to the Commissioner of Personal Data within 72 hours of the breach;
(c) the affected data subjects must be informed in a systematic and orderly manner; and
(d) guidance should be provided to employees of data users on handling and reporting of personal data.
The Department of Personal Data Protection aims to have the DBN implemented at the end of 2018. Such a move is encouraging. It is important to note that under the recently implemented General Data Protection Regulation (“GDPR”) by the European Union, DBN is mandatory across all European Union states. At present, where data is regarded as precious commodity, the implementation of DBN will add an extra layer of protection to safeguard the interest of data subjects and their personal data.