The Malaysian Personal Data Protection Commissioner (Commissioner) has recently issued Public Consultation Paper No. 1/2018 (PCP) which aims to collect feedback on the Commissioner's proposal to implement data breach notification obligations for data users.
As part of the data breach notification, the PCP proposes the following:
- data users must notify the Commissioner and any other regulatory bodies or law enforcement agencies within 72 hours of becoming aware of a data breach incident;
- data users must provide a summary of the data breach incident and its circumstances, the type and amount of personal data involved and the approximated number of affected data subjects;
- data users must provide information on any containment or control measures that are taken or will be taken to contain the incident and the potential harm, especially towards the affected data subjects;
- data users must provide information on the method in which the data user notifies the affected data subjects and the advice given to such affected data subjects; and
- data users must provide regular training to staff, which shall be no less than once every twenty-four (24) months, and detailed guidance on the processing of personal data.