Personal data has become one of the most valuable assets an organization can hold. However, its value also makes it highly vulnerable, making them prime target for cyber threats such as black hat hackers.
We have seen it too often: a single security breach can lead to the unintended exposure of millions of personal records, it disrupts operations, damages reputations and ultimately undermines public trust.
For Tenaga Nasional Berhad ("TNB"), the pressing need to secure and protect its personal data could not be more important.
Failure to adhere to the applicable personal data protection laws and regulations can result in serious consequences including substantial financial penalties, regulatory actions, corporate liability (which may include imprisonment) and reputational damage, underscoring the importance of robust compliance and governance.
Beyond the legal consequences, the loss of investors and public confidence can have long-lasting business impact. Personal data protection, therefore, is not just about compliance. It is about safeguarding the very trust and stability on which the company’s operations depends upon.
New Amendments, New Approaches
To safeguard the personal data of individuals involved in commercial transactions, the Parliament of Malaysia enacted the Personal Data Protection Act ("PDPA") in 2010, which came into force on 15 November 2013.
After more than a decade in force, the PDPA has been amended and gazetted through the Personal Data Protection (Amendment) Act 2024 ("PDPA Amendment"), to align personal data protection laws in Malaysia with global personal data protection standards by introducing significant changes to data protection regulations. Key amendments include the introduction of mandatory appointment of Data Protection Officers, mandatory notification of data breach, and the introduction of data portability rights.
In response to these regulatory changes, Group Legal Department of TNB has proactively had several engagement sessions with the Personal Data Protection Commissioner, engaged with the relevant internal divisions and issued formal guidance in the form of internal guidelines and circulars to ensure continuous compliance. These compliance efforts have been approved by TNB management which include the Mesyuarat Jawatankuasa Pengurusan Eksekutif Kumpulan (JEK) and the Board Sustainability & Risk Committee (BSRC).
By aligning its compliance efforts with the new amendments, TNB not only strengthens the protection of its personal and sensitive personal data but also reinforces its commitment to place the highest priority on ensuring that customers personal data is managed with utmost care and in full compliance with the relevant laws and regulations. This upholds TNB's commitment to public trust in supporting the company's Environmental, Social and Corporate Governance (ESG) initiatives, particularly in social and governance aspects.
Putting Policy into Practice
To ensure compliance with the new PDPA Amendment, TNB has undertaken the following initiatives:
Issuance of Legal Updates and Guidance Materials
- Comprehensive legal updates, circulars, and guidance notes were developed and disseminated across TNB's communication platforms. These materials include a detailed legal update outlining the key changes brought about by the PDPA Amendments, a revised TNB Personal Data Protection (“PDP”) Notice for customers, a newly developed PDP Notice for TNB’s employees and job applicants and updated contractual clauses to ensure alignment with regulatory requirements. These PDP Notices were made available via TNB's website and various digital platforms, ensuring transparency and accessibility for all stakeholders.
- Further, TNB has also developed a new Biometric Authentication Notice (Biometric Notice), which serves to inform data subjects of the collection and use of an individual’s biometric data for identity verification purposes.
Engagement with the Personal Data Protection Commissioner
- To ensure TNB’s compliance with the amendments to the PDPA, TNB has proactively taken initiatives including but not limited to actively conducting several engagement sessions with the Personal Data Protection Commissioner ("PDP Commissioner").
- TNB has also provided insight and feedback to the PDP Commissioner’s Office for the PDPA Amendment which includes attending a few of the Sesi Libat Urus, also reviewing and commenting on Public Consultation Papers.
Appointment of TNB Data Protection Officer ("DPO")
- TNB has appointed a Head DPO along with Divisional DPOs across key divisions that handle significant volumes of personal data. The DPOs are entrusted with overseeing and ensuring the security and integrity of TNB’s personal data, reinforcing TNB's commitment to legal compliance and data protection.
- The DPOs are responsible in advising and supporting TNB in monitoring internal compliance with data protection laws. They provide guidance on conducting data protection impact assessments and serve as the primary point of contact between TNB and the PDP Commissioner.
Engagement session with TNB Senior Leadership
- The Head DPO and the data protection team continues to actively engage with TNB’s senior management to discuss on the implementation and strategic directions to ensure compliance with the PDPA Amendment.
- These discussions to ensure alignment across the organization and reinforce a unified approach to data protection compliance.
Continuous compliance activities
- TNB has developed a comprehensive, group wide framework for personal data protection, which includes policies, notices and related documentation to ensure compliance across the organisation. As part of its ongoing commitment to regulatory alignment and operational excellence, TNB has also implemented a series of continuous compliance initiatives.
- These includes development of group wide personal data protection training materials, conducting the Personal Data Protection Observation Audits and developing the personal data protection toolkit consisting of compliance video and e-learning.
- TNB has also initiated a comprehensive series of training and awareness sessions to educate employees across various divisions and subsidiaries on the latest PDPA amendments and best practices in personal data protection. These training sessions are part of TNB's ongoing commitment to fostering a culture of personal data protection and ensuring that all employees are well-informed and equipped to handle personal data responsibly.
These compliance measures align seamlessly with TNB's Environmental, Social, and Governance (ESG) objectives and initiatives. By integrating robust personal data protection practices into its operations, TNB not only complies with regulatory requirements but also fosters trust and transparency with its stakeholders.