MALAYSIA Law and Practice Contributed by: Janet Toh, Irene Yong, Krystle Lui and Boo Cheng Xuan, Shearn Delamore & Co.
tion. In an effort to address these challenges, the Cyber Security Act 2024 (CSA) was recently introduced, followed by amendments to the Per - sonal Data Protection Act 2010 (PDPA). CSA The CSA came into force on 26 August 2024 alongside subsidiary regulations relating to the notification of cybersecurity incidents, risk assessments, licensing of cybersecurity service providers, etc. Public and private entities (includ - ing private businesses) that are designated as national critical information infrastructure enti - ties (“NCII Entities”) and cybersecurity service providers will be expected to comply with the regulatory requirements under the CSA and the above-mentioned regulations. One of the main focuses of the CSA is the protec - tion of national critical information infrastructure (NCII), defined to mean a “computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign rela - tions, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the state govern - ments to carry out its functions effectively”. The CSA identifies the following 11 sectors as NCII sectors, and any person or entity operating with - in such sectors may potentially be designated as an NCII Entity if the relevant sector lead tasked to carry out the designation is satisfied that such person or entity owns or operates an NCII: • government; • banking and finance; • transportation; • defence and national security; • information, communication and digital; • healthcare services;
• water sewerage and waste management; • energy; • agriculture and plantation; • trade, industry and economy; and • science, technology and innovation. The CSA imposes various duties on an NCII Enti - ty, including those relating to the implementation of measures, standards and processes, cyber - security risk assessments, cybersecurity audits and notification of cybersecurity incidents. PDPA Where processing of personal data in commer - cial transactions is involved, the PDPA, which is the primary legislation governing the processing of personal data, will apply. The PDPA requires, among others, compliance with the seven Per - sonal Data Protection Principles, namely the General Principle, the Notice and Choice Princi - ple, the Disclosure Principle, the Security Prin - ciple, the Retention Principle, the Data Integrity Principle, and the Access Principle, as well as other requirements such as those for the cross- border transfer of personal data. Amendments to the PDPA pursuant to the Per - sonal Data Protection (Amendment) Act 2024 (the “PDP Amendment Act”) aim to strengthen the data protection framework, including the introduction of data processors’ obligations, data portability rights, the requirement to a appoint data protection officer and mandatory data breach notifications, and they are being implemented in phases over the first half of 2025. This means that businesses that process personal data, including those in the digital economy sector, will have to adapt their busi - ness operations to align with the amended PDPA requirements. These adjustments may include reviewing data processing practices, updating internal policies, enhancing data security meas -
219 CHAMBERS.COM
Powered by FlippingBook