Managing PDPA in the new normal in Malaysia

How should a data user (organisation) manage the Malaysian PDPA under the "New Normal" situation?

30 Mar, 2021

In a digitized economy, catalysed by the COVID-19 pandemic, online transactions and WFH (work from home) arrangements become the new normal.   Whilst this allows the economy to hum under the MCO (Movement Control Order) or lockdown, it has increased the risk of a data breach.  Organisations have to be mindful of the risks involved and this will lead to even stronger demand for data protection profession and cybersecurity professions.


Why has the risk increased?

This is because personal data is not just collected on an online form, stored in a system. In a digitized (or even non-digitised organisation) environment, the risk lies in the Information Lifecycle which is found throughout the processing which involves personal data in an organisation, comprising:

Causes of Breaches

Why do Data Breaches Happen in the first place?

An answer to this question was classified into three buckets:

1. Failure to Identify Risks

2. Identified Risks – However failed to Implement mitigation measures

3. Identified Risks and Implemented mitigation measures – Yet it happened

Identifying risks is a fundamental exercise to ensure appropriate controls can be designed and put in place. Thereafter follow-ups on actions or risk mitigation measures taken is crucial. It takes a trained data protection officer to work and coordinate with the various business line operations to identify the risks, devise and deploy the mitigation measures.


Common Mistakes

Even if the risks are identified and mitigation measures implemented, data breach may happen to organisations. The 7 Common Mistakes that organisations make are:

1. Insufficient data protection measures

2. Little or no information security practices

3. Vulnerable IT infrastructure to online threats

4. Improper training - policies not communicated

5. Disjointed practice

6. Complacency

7. Poor third parties and contract management.

These are common risks that not only DPOs but (GRC) risk managers face under the new normal.


What should the Organisation do?

To mitigate risks and effect from these mistakes, the organization (through its DPO) need to take the 6 basic steps:

  • Be trained and continue to upskill in data protection and risk management
  • Create the Governance Structure
  • Identify and alert the organisation to any risks
  • Develop good policies and practices for handling personal data
  • Communicating the internal personal data protection policies and processes to the entire organisation (all levels)
  • Handling queries or complaints; Liaising with the JPDP (or the local/national data protection regulator).

Find out more about the training and upskilling by clicking here.

Talk to experts in setting up a data protection governance and management programme.

Article By:  Benjamin Shepherdson, GDPR & Info Sec (EXIN), CIPM, GRCP, Country Manager/Director (Malaysia) Straits Interactive Pte Ltd. and  
                   Leong Wai Chong, CIPM, GRCP 

Photo by Chris Montgomery on Unsplash, Background photo created by

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.

Become a DPEX Community member to access
data protection resouces and discussions on pertinent topics now.

Access online / in-person courses and view past training records

Join lively discussions on pertinent data protection topics

Gain access to data protection research and video resources

Receive value-added data protection updates from the region

  Related Articles
What is the DPTM?

The Info-comm Media Development Authority of Singapore (IMDA) launched the Data…

How Social Media Makes Or Breaks A Company In Cri…

Every day we are confronted with information on companies that allegedly did th…

What are the areas that an organisation should ta…

It cannot be reiterated enough: personal information is property that belongs t…