PETALING JAYA: Data governance, security and privacy will become more secure on the back of a slew of cybersecurity and data protection laws that has been legislated and those that are in the pipeline.
The Cyber Security Act has been gazetted, the Personal Data Protection Act (PDPA) has been amended and another legislation dubbed the Omnibus Bill, which will facilitate data sharing and cloud storage among government agencies, is in the pipeline.
ALSO READ: Cyber Security Act set to be enforced soon
Prof Dr Mohamed Ridza Wahiddin, chair of The Information Technology and Computer Science Discipline, Academy of Sciences Malaysia, said these laws govern the country’s digital sovereignty.
“It is not just about catching up with the latest technology for securing cyberspace or attacking victims. E-sovereignty means having good data governance, security, privacy as well as preserving national identity and values,” he said.
By introducing or amending cyber laws, it is expected that data governance, security and privacy will be enhanced.
“This will address existing loopholes that will not only prevent cyber attacks but also to facilitate friendly collaboration and sharing.
“Furthermore, by introducing a more severe punishment, it is hoped to be a deterrent to cyber criminals. Bear in mind, cyber crimes are low risk and high return for the bad guy,” he said.
Deepak Pillai, a data protection practitioner with Christopher and Lee Ong, said with the recent amendments to the PDPA, the law will not only be confined to data controllers, who collect data.
Third parties such as IT service providers or mailing agents who assist in the collection and processing of an individual’s personal data, or otherwise known as data processors – are also now bound by the Act.
“As such, the security standards specified in the PDPA apply to more parties involved in the collection and processing of personal data compared to before the amendments,” he said.
“The PDPA security standards are in the process of being revised and tightened, and should be a standard feature in all contracts between data controllers and data processors moving forward.”
He said the requirement makes it mandatory for data controllers to report any data breaches to the Personal Data Protection (PDP) commissioner so that such incidents will be investigated.
“The commissioner may investigate the reported data breaches and ensure that it does not repeat, as well as to notify the individuals affected so they and the company that suffered the breach may take action to avoid individuals from suffering further losses,” Deepak said.
He said strong enforcement is also key to ensuring compliance to the law.
Under the amendments to the PDPA which was passed by the Dewan Rakyat, each organisation that deals with data will have to appoint a data protection officer responsible for reporting any data breaches as soon as possible.
The PDP commissioner must be notified of this appointment.
A data officer who fails to report such incidents could face a fine of up to RM250,000 or a prison term of not more than two years, or both, if convicted.
Last year, the PDP commissioner received 779 complaints of data breaches and abuses. Up to June this year, 288 complaints were received.