How Data Users Should Manage the Malaysian PDPA Under the New Normal

In today’s digitised economy, catalysed by COVID-19, work from home (WFH) arrangements and online transactions have become the new normal. While such arrangements make it possible for the economy to hum under the lockdown or Movement Control Order (MCO), it has also increased the risk of data breach.

The good news is organisations and employees can now have a better understanding of data protection and legal requirements through the Advanced Certificate in Data Protection Principles. Nowadays, organisations need to be more mindful of the risks involved.

The Advanced Certificate in Data Protection Principles consists of six modules that cover data protection principles in Asian countries as well as the General Data Protection Regulation (GDPR).

Why the Risk Has Increased

The increased risk can be attributed to the fact that data is not just collected on an online form and stored in a system. In digitised (and even non-digitised) environments, the risk lies in the Information Lifecycle (collection, usage/processing, disclosure/transfer, and storage/disposal).

At every point, the organisation is vulnerable to the risks of breaches and exposures.

Causes of Breaches

Why do data breaches happen to begin with? The answer to this question can be classified into three buckets:

  • Failure to identify risks
  • Failure to implement mitigation measures
  • Was able to identify risks and implement mitigation measures yet the the breach still occurred

Identifying risks is a fundamental exercise that can help ensure appropriate controls can be created and set in place. From there, risk measures and follow up on actions taken is considered crucial.

It will require a trained data protection officer to work and coordinate with the different business line operations to determine the risks and create and implement the mitigation measures.

Common Mistakes

Even if the risks are identified and the mitigation measures are implemented, data breach can still occur. Below are the common mistakes most organisations make:

  • Inadequate data protection measures
  • Minimal or no information security practices
  • Vulnerable IT infrastructure
  • Improper training (policies not communicated)
  • Complacency
  • Disjointed practice
  • Poor third parties and contract management

Under the new normal, these are the prevalent risks DPOs and risk managers face.

What Should Organisations Do

To mitigate the effects and risks from the mistakes above, organisations (through their DPOs) should take the following six essential steps:

  • Train and continue to improve their skills in risk management and data protection
  • Create a Governance Structure
  • Determine and alert the organisation to any risks
  • Create good practices and policies for handling personal data
  • Communicate the internal personal data protection processes and practices to the entire organisation (all levels)
  • Handle complaints and queries and liaise with the JPDP (or the national or local data protection regulator)