On Feb. 26, MLY DP issued rules on data breach notification reporting.
MLY DP issued circular, guidance prescribing rules on data breach notifications (DBNs).
Follows MLY DP Aug. 2024 proposed amendments re privacy protection, see #223744.
Also follows MLY GVT Oct. 2024 amendedPersonal data protection act 2010, #218997.
Document dated Feb. 26, 2025, was added on Apr. 4, 2025 due to editorial backfill.
Background
Section 12B of the Personal data protection act 2010 requires a data controller to notify the MLY DP commissioner and data subjects if the data controller believes that a personal data breach has occurred; notification shall be made as soon as practicable.
If a personal data breach results in/is likely to result in any significant harm to a data subject, the data controller shall notify the personal data breach to the data subject.
Key Provisions
This circular prescribes the procedure for notifying a personal data breach by a data controller to both MLY DP commissioner and data subjects, and related matters.
It also specifies the obligation of data controllers to conduct assessments of breaches.
The data controller shall take reasonable steps to investigate the cause of the breach and promptly implement remediation or response measures to minimize any risk.
The data controller shall assess the weaknesses that led to the personal data breach and implement appropriate corrective and preventive actions to prevent recurrence.
MLY DP may conduct an investigation in relation to a data controller to ascertain whether the 2010 act has been contravened; any data controller who fails to make a notification to the commissioner may be liable to the penalties specified in the circular.
Effectiveness
The circular is effective on Jun. 1, 2025.
Regulators
MLY DP
Entity Types
Corp
Reference
PR, Cir 2 of 2025, 2/26/2025; Gd, DBN v 1.0, 2/25/2025;
