Tay Partners

A step forward for data management: ASEAN Data Management Framework and ASEAN Model Standard Contractual Clauses for Cross Border Data Flows

LegalTAPS March 2022

A step forward for data management: ASEAN Data Management Framework and ASEAN Model Standard Contractual Clauses for Cross Border Data Flows

Download PDF File

On 30 November 2021, the Personal Data Protection Commissioner issued an advisory recognizing the adoption of the ASEAN Data Management Framework (“DMF”) and the ASEAN Model Contractual Clauses for Cross Border Data Flows (“MCCs”) which were approved during the 1st Association of ASEAN Digital Ministers’ Meeting hosted by Malaysia on 22 January 2021 with the aim to enable harmonized standards for data management and cross border data flows within ASEAN.

The DMF is primarily designed to provide guidance based on best practices to private organizations and businesses operating within ASEAN Member States, particularly small and medium enterprises, to implement a data management system which includes data governance structure and appropriate data protection safeguards based on the purpose of data sets throughout its lifecycle. It is intended to be adapted to varying business needs for adoption and tailoring by the organizations and businesses to their own systems of managing data. With a DMF, organizations would be better equipped to manage and protect data adequately and instil trust and confidence in their customers and business partners while leveraging the use of data to drive business growth.

In essence, the DMF introduces six foundational components which are consistent with globally recognised personal data protection and privacy management programmes, aimed to enable organizations to leverage on a corporate governance structure to define, manage and monitor their data management processes. These foundational components are briefly summarised as follows:-

  • provide proper governance and oversight in implementing and executing the DMF;
  • develop data management policies and procedural documents;
  • establish a data inventory;
  • assess the impact and risk to organization using different impact categories if the data is compromised;
  • design and implement risk-based controls that are commensurate to the potential impact of the data being compromised according to data lifecycle; and
  • monitor, measure, analyze and evaluate the DMF components implemented to keep it up-to-date and optimized.

The MCCs are template contractual terms and conditions which may be used in agreements between organizations and businesses operating within ASEAN Member States that involve transfer of personal data across borders. While the MCCs are primarily designed for intra-ASEAN flow of personal data, these clauses may also be adapted for transfers between businesses intra-country in ASEAN Member States or transfers to non-ASEAN Member States.

The MCCs comprise two sets of contractual terms to cover situations involving controller-to-processor transfer and controller-to-controller transfer. These clauses which are intended to be the minimum standards, set out the baseline responsibilities, required personal data protection measures and related obligations of the parties based on the principles of the ASEAN Framework on Personal Data Protection (2016) and may be adapted and modified in accordance with any specific requirements of domestic laws.

The DMF and MCCs are developed for voluntary adoption by ASEAN Member States and organizations operating therein and hence are non-binding. However, organizations and businesses are encouraged to adopt the DMF and MCCs as these are vital resources and tools to be utilized in data-related operations to build a brand of trust, transparency and accountability with business partners and consumers and to meet data protection standards and requirements of foreign clients besides assuring a comparable level of protection and safeguards to the data held by the organizations and businesses.

As Malaysia has embraced the DMF and MCCs, organizations and businesses with digital and data-driven operations should take heed of the need to develop appropriate and robust systems of handling and managing data documented in the form of policies or to review and update their existing policies taking into consideration the guidance provided in the DMF to ensure adequate data security is in place. It is also important for multinational companies and organizations dealing with cross-border transactions to incorporate and adapt the MCCs in their agreements with appropriate modifications subject to Malaysian laws to ensure any transfer of personal data across border is conducted in a manner that is compatible with applicable legal requirements besides conducting due diligence on the other parties, including service providers, business partners and customers, to ensure they meet the requirements of the MCCs.

Lee Lin Li
T: +603 2050 1898

Chong Kah Yee
Senior Associate
T: +603 2050 1831