Review the PDPA sooner

This article first appeared in The Edge Malaysia Weekly, on March 15, 2021 - March 21, 2021.
Review the PDPA sooner
-A +A

The focus on cybersecurity in the MyDIGITAL initiative is a welcome and long overdue addition to the Malaysian digital agenda, according to industry players who spoke to Digital Edge. 

Cybersecurity, which forms Thrust #6 of the blueprint, is meant to create a trustworthy, secure and ethical digital environment. The idea is that the stability and security of such an ecosystem will enable businesses and society to leverage digital services without compromising on safety, data security, privacy, reliability and ethical standards. 

“I hope the government places an emphasis on education and awareness programmes at a national level,” says Alan Yau, chief technology officer at local cybersecurity player, SysArmy Sdn Bhd. 

This needs to be a major priority for Thrust #6, he adds, because ultimately, humans are the weakest link in the cybersecurity chain. “One could spend infinite resources on technology, but humans are the ones using and operating it, so educating citizens, even via formal education, will be beneficial to combating cybercrime in the long run.” 

To this end, one of the key targets of the blueprint is for the creation of 20,000 so-called cybersecurity knowledge workers. Rodney Lee, executive vice-president for Asia Pacific at Cybots Pte Ltd, calls on the government to engage with the industry to achieve this target. 

“The cybersecurity community is more than capable of starting these educational efforts, even now. We do not have to wait until 2025 to achieve the 20,000 target. There are many talented trainers in the industry who are more than willing to come forward and help.”

The starting point for this effort, according to Lee, should be to inculcate a “secure by design” mindset. This effectively means having cybersecurity as a main priority throughout a product development lifecycle.

Additionally, Lee hopes the blueprint spawns specific action plans in the coming months, the likes of which should set out clear and unambiguous initiatives to achieve the aspirations of the blueprint. 

As a high-level document, Lee applauds the government for the aspirations it lays out, but needs to see specific action plans being drawn up and acted upon, if the blueprint is to hit its stated targets. 

On the subject of targets, Lee questions the need to have a five-year target for strengthening and modernising the Personal Data Protection Act 2010. “Why is the PDPA only going to be reviewed by 2025? Sure, there are some slight changes to make, particularly on the issue of disclosure of breaches, as well as enforcement actions. But the law is already in place, and we should not be taking so long to review it,” he says.

Yau of SysArmy, however, thinks the PDPA could be tricky to update, hence the relatively long 2025 target. “While enhancing the PDPA should not be an issue, perhaps the most challenging area will be how we implement cross-border data transfer controls,” he explains. 

There is a specific provision in the current iteration of the PDPA that generally prohibits the offshoring of any local personal data by any company in the country, with the exception of a so-called whitelist of companies that would be allowed to offshore the data. 

Moves were seemingly made in early 2020, just prior to the imposition of the mid-March Movement Control Order (MCO) to possibly do away with the whitelist altogether. 

More than one year on, however, there is no further clarity on the issue of cross-border data transfers and how, if at all, these are going to be legislated.