IT'S great that amendments to the Personal Data Protection Act (PDPA) have been passed.
However, there is a lack of clarity on certain aspects.
Organisations, especially small- and medium-sized enterprises, will have a hard time deciphering the new compliance mechanism because of vague descriptions. Important information, such as the time frame to report data breaches, is missing.
The government could make the application of regulations dependent on company size and activities instead. This would address the potential disproportionate consequences for smaller start-ups.
Legislative examples can be found abroad. The European Union's General Data Protection Regulation (GDPR) is applicable only to companies employing more than 250 people.
This flexibility is similar to Australia's Privacy Act and Japan's Act on the Protection of Personal Information.
Under the GDPR, a data protection officer is mandatory only for certain organisations, such as public authorities and companies that do large-scale monitoring and processing of data.
With regard to the PDPA, the government should release precise rules for businesses. These must include case studies and real-world examples to increase compliance rates and remove doubts.
The PDPA allows data subjects to access, make corrections and give consent to data portability.
In a world where misinformation and disinformation are prevalent, it is important to ensure that data subjects also have the right to erase their personal information from the public digital record.
Finally, the government needs to have a feedback mechanism that enables businesses to share their challenges in complying with the regulations.
This would ease the personal data protection commissioner's task.
* The writer is an analyst at the Institute of Strategic & International Studies Malaysia
The views expressed in this article are the author's own and do not necessarily reflect those of the New Straits Times