Notes from the Asia-Pacific region: Malaysia tightens data protection expectations with trio of guides

With Malaysia's latest release of its trio of data protection guides on automated decision-making and profiling, data protection impact assessments and data protection by design, businesses operating in this Asia-Pacific market are expected to quicken their compliance pace, from a cautious trot to a firm gallop, taking full control of their accountability reins. 

Automated decision-making is a powerful stallion of the digital economy. It is defined broadly to include decisions made with minimal human involvement. Profiling goes further, and encompasses using personal data to evaluate, predict or infer behavior, preferences or economic status. Whether it is credit scoring, targeted advertising or hiring algorithms, these systems are capable of actively shaping outcomes.

The automated decision-making guide provides a clear line of sight that processing involving automated decision-making or profiling must comply with core data protection principles. Organizations cannot simply place a nominal jockey in the saddle and claim meaningful oversight. Rather, where automated decision-making produces significant legal effects, such as denying credit, employment or access to services, they are required to not only anticipate and mitigate risks of discrimination but must also maintain a steady hand of control and oversight over automated systems to ensure they do not rear and run wild.

Meanwhile, the DPIA guide offers a saddle and straps to keep an organization stable and secure. DPIAs are a structured, proactive mechanism to identify, assess and mitigate risks arising from personal data processing. This is fundamentally a risk management exercise; more specifically, analyzing how proposed processing could impact individuals and determining whether those risks are acceptable. 

In particular, the guide introduces: quantitative thresholds — where the data processing involves more than 20,000 individuals, or more than 10,000 for sensitive data; and qualitative factors — including automated decision-making, systematic monitoring, use of innovative technology or impacts on rights and access. 

Notably, automated decision-making itself is a trigger for DPIAs, pulling the rope between the two guides together.

Finally, the data protection by design guide is about training from infancy. It emphasizes embedding data protection into the entire life cycle of processing — from design to deployment and eventual deletion. Core elements and operational concepts referenced in this guide include data minimization, purpose limitation, transparency, user-centricity, default privacy settings and end-to-end life cycle governance. 

Taken together, these three guides mark a mount up in Malaysia's data protection landscape. To stay on course, organizations need to strengthen their governance hooves, bolt up on human oversight and ensure risks are accounted for before striding out of the stalls.