Technology Law Blog

The Role, Function, and Expected Qualifications of a Data Protection Officer (DPO) Under the 2024 PDPA Amendments in Malaysia

With the introduction of the Personal Data Protection Act (PDPA) Amendment Act 2024, Malaysian organizations will be expected to appoint a Data Protection Officer (DPO). This new obligation represents a significant step toward aligning Malaysia with global best practices in data protection, following in the footsteps of jurisdictions like the European Union (EU), Singapore, and China. As the specific guidelines for this requirement are still being drafted, we can look to these jurisdictions for insight into what might be expected.

The Function of a DPO: Ensuring Compliance and Protecting Personal Data

The role of the DPO is primarily to ensure that organizations comply with data protection laws and regulations. In Malaysia, the amendments signal that the DPO will play a central role in ensuring that businesses comply with the expanded obligations under the PDPA. While awaiting the specific guidelines, we can anticipate that the DPO will be responsible for:

  1. Monitoring Compliance: Ensuring that internal data protection policies and practices are aligned with the PDPA.

  2. Data Protection Impact Assessments (DPIAs): Advising on and overseeing DPIAs, especially when new projects or processes involve significant personal data use.

  3. Breach Notification: The DPO will likely be tasked with managing data breaches and ensuring that regulatory authorities and affected individuals are notified when required.

  4. Liaising with Regulators: Acting as the contact point between the organization and the Personal Data Protection Commissioner’s office.

In other jurisdictions like the EU under the General Data Protection Regulation (GDPR), the DPO is also tasked with ensuring that data subjects’ rights are upheld, which could also be a role expected of Malaysian DPOs. Additionally, the DPO may be involved in employee training and audits to ensure ongoing compliance with data protection laws.

International Comparisons and Their Relevance to Malaysia

While Malaysia is still defining its specific expectations for the DPO role, jurisdictions like Singapore and the EU provide a blueprint for what we might see here. In Singapore, under the Personal Data Protection Act (PDPA), every organization must appoint a DPO, though the role is more flexible than in the EU, where the GDPR mandates DPO independence from operational management. Malaysia’s approach may lean more towards Singapore’s, where a DPO can fulfill multiple functions in smaller organizations, so long as they remain effective in managing data protection responsibilities.

China’s Personal Information Protection Law (PIPL), which mandates DPO appointments for organizations processing large volumes of personal data, could also offer lessons. The Chinese DPO’s role focuses heavily on data security and ensuring compliance with cross-border data transfers, which may become increasingly relevant as Malaysian businesses expand their digital operations regionally and globally.

DPO Background: IT vs. Legal Expertise

One of the key distinctions between DPOs across various organizations is their professional background. Generally, DPOs are drawn from two fields:

  1. Technical IT Background: This is common in organizations where data processing and cybersecurity are heavily integrated into daily operations. DPOs with technical expertise are often better suited to organizations where the primary concern is ensuring robust data security measures are in place.

  2. Legal Background: DPOs with legal expertise are typically found in organizations where compliance with data protection laws and regulations takes precedence, and where legal risk mitigation is key.

Malaysian organizations will need to assess their specific needs when appointing a DPO. For instance, an e-commerce platform may benefit from a DPO with a strong technical background to handle the operational complexities of securing personal data in a digital environment, while a financial institution may prioritize a legal expert who can navigate regulatory compliance challenges.

Qualifications of a DPO: What Should Malaysian Businesses Expect?

Although the Malaysian PDPA Amendment Act 2024 does not yet specify the qualifications for a DPO, it is expected that they will need to demonstrate a robust understanding of the PDPA and best practices in data protection. Drawing from other jurisdictions, a DPO’s qualifications typically include:

  1. Expert Knowledge of Data Protection Law: This is a requirement under the GDPR in the EU, and it is likely that Malaysian DPOs will need to be well-versed in the local PDPA.

  2. Data Security and IT Systems Knowledge: A DPO must understand the technical measures that can be implemented to safeguard personal data, especially in organizations where the use of technology is critical.

  3. Risk Management Experience: Conducting data protection impact assessments and managing data breaches will likely be essential skills for DPOs in Malaysia.

  4. International Certifications: Many organizations look for DPOs with international certifications such as the Certified Information Privacy Manager (CIPM) from the International Association of Privacy Professionals (IAPP). These certifications demonstrate that the DPO is equipped with the necessary knowledge and skills to navigate complex data protection environments.

Independence and Accountability

One of the major points of distinction between jurisdictions like the EU and Singapore is the degree of independence expected of the DPO. In the EU, DPOs must be independent and free from conflict of interest, ensuring they can provide unbiased oversight on data protection matters. Singapore’s approach is less strict, allowing the DPO to hold other roles within the organization. Malaysian organizations should prepare for the possibility that their DPO will need a level of autonomy, particularly in larger businesses where significant volumes of personal data are handled.

In Malaysia, we can expect the DPO to be held accountable for ensuring the organization adheres to the PDPA. They will likely play a key role in liaising with regulators, much like their counterparts in the EU and Singapore. Organizations will need to ensure that their DPOs are empowered to enforce data protection practices effectively, which may mean providing them with the necessary resources, authority, and reporting lines directly to senior management.

External Appointment of a DPO

In many jurisdictions, organizations have the option to appoint an external Data Protection Officer (DPO). This is particularly useful for smaller businesses that may not have the internal resources to hire a dedicated, full-time DPO. By outsourcing this role to an external specialist, organizations can ensure that they receive expert guidance and oversight on data protection matters without the need for a permanent hire. This approach is recognized under frameworks such as the GDPR in the EU, where external DPO services are widely utilized, and is expected to be similarly applicable in Malaysia under the new PDPA amendments.

Outsourcing the DPO role can provide businesses with the necessary expertise while remaining cost-effective. An external DPO can ensure compliance, manage data protection obligations, and provide ongoing training and audits, all tailored to the specific needs of the business.

Conclusion

As Malaysian organizations prepare for the implementation of the PDPA Amendment Act 2024, it is essential to understand the role and qualifications of a Data Protection Officer, whether appointed internally or externally. For organizations looking for expert advice on DPO appointments or considering the external appointment of a DPO, SLC is here to help. With extensive experience in data protection law and regulatory compliance, we offer specialized services to ensure your organization meets its legal obligations. Contact us today to learn more about appointing a DPO or to engage SLC as your external DPO partner.

Darmain Segaran