Spotlight on... Assoc. Prof. Dr. Sonny Zulhuda, Assoc Prof of Law, IIUM


In this edition we feature Assoc. Prof. Dr. Sonny Zulhuda, a leading academia on law and data protection from the International Islamic University of Malaysia.

Please share with us about your background.

I am educated in law and legal studies, and my postgraduate research areas were data protection law and Information security law. I am now an Associate Professor in Faculty of Laws, International Islamic University Malaysia.

How is it that you got interested in data privacy/protection? 

Since I attended my Cyberlaw class while doing my Masters back in the year 2000. One very interesting topic was personal data protection law. I was so intellectually fascinated and intrigued when reading about right to privacy and how digital technology posed the challenges to it. Then controversy on how to regulate it was abound at both sides of the Atlantic. At the same time, Malaysian government came up with the first draft bill on the PDP Act. I told myself; I want to research on this to satisfy my intellectual thirst.


When did you first get involved and exposed to the importance of data privacy? 

It was in 2005 when I was part if the national committee working on the National Cyber Security Policy. Then since 2006 I was involved in training professionals from public and private sectors on various issues of personal data protection law. This training activities got intensified after the enactment of the PDP Act of Malaysia in the year 2010.

What data privacy courses did help conduct with Straits Interactive /DPEX network and why? How was that different from other courses you have seen

I have dealt with topics relating to the concept and implementation of data pricacy law and PDP in Malaysia. Also, on the application and impact of 7 PDP Principles on Malaysian businesses. These courses are both about the concept of regulations and case studies relevant to them. Both theoretical and practical aspects make the course interesting, lively and more useful.

What is your current job role? Which privacy functions are you involved in? 

As a university professor, I develop teaching modules, teaching postgraduates, conducting research on data privacy and PDP law. I gave also been involved in international academic networks in Oxford, Canada, Sydney, Beijing, Seoul, Riyadh, Singapore and Brussels where my expertise has been required on specific research and projects. I believe there are a lot more to explore and contribute on this vast area where law and technology intersect.


What practical advice would you offer to those wanting to implement a data protection management programme in their organisation?

First and foremost, you need to be clear yourself on what you want to achieve. You are basically looking for a comprehensive theoretical and practical solutions. In most cases, the solutions are not a ready product. It must come from a good privacy and security culture and awareness. Then you need to translate that culture in the best practices. Any attempt to cut the process and get only partial knowledge is simply a waste of your resources.

Any interesting case, experience or scenarios to share for readers to get more insights into data privacy?

There are too many incidents and cases before now than a decade ago. Privacy breaches are now running headlines, day in, day out. We can learn from those stories.

What advice do you have for others? 

Data privacy law in this 21st century is what an intellectual property law was in the 20th century and a land/real property law in the 19th century: A trend-setter!


The good news is, this disruptive set of knowledge and skills can now be learnt through various modular courses leading to advanced certificates. For people in Southeast Asia, I am pleased to note that the DPEX network of universities are there to offer those data protection programs. Those programs are not only a huge investment for the takers, but are ticket to professional excellence in this digital age.

Any final words from a law academia perspective for our audience?

A privacy professional skill set is unique. It is about both human rights and property, ethics and best practices, involving both tangible and intangible, triggering both legal and business challenges. Also, you need to understand both the human and technical aspects of it. If you fail one, you fail the other. Becoming a privacy professional, you are to nurture both sides of the subject matter.

By -  Leong Wai Chong (GRCP)

Just one more step! We've sent an email to .
Please check your inbox or spam and open it to activate your account.

Related Articles