Home Framework A Step Forward for Data Management: ASEAN Data Management Framework and ASEAN Model Contractual Clauses for Cross-Border Data Flows

A Step Forward for Data Management: ASEAN Data Management Framework and ASEAN Model Contractual Clauses for Cross-Border Data Flows


On November 30, 2021, the Personal Data Protection Commissioner issued a notice acknowledging the adoption of the ASEAN Data Management Framework (“DMF”) and the ASEAN Standard Contractual Clauses for Cross-Border Data Flows (“MCC”) which were endorsed at the 1st Meeting of the ASEAN Digital Ministers Association hosted by Malaysia on January 22, 2021 with the aim of enabling harmonized standards for data management and cross-border data flows within ASEAN.

The DMF is primarily designed to provide best practice based guidance to private organizations and businesses operating in ASEAN member states, especially small and medium enterprises, to implement a data management system that includes a data governance structure and appropriate data protection safeguards based on the purpose of datasets throughout its lifecycle. It is intended to be tailored to different business needs to be adopted and adapted by organizations and businesses to their own data management systems. With a DMF, organizations would be better equipped to properly manage and protect data and instill confidence in their customers and business partners while leveraging the use of data to drive business growth.

Essentially, the DMF introduces six foundational components that align with globally recognized personal data protection and privacy management programs, aimed at enabling organizations to leverage a corporate governance structure to define, manage and monitor their data management processes. These fundamental components are briefly summarized as follows:-

  • ensure appropriate governance and oversight in the implementation and execution of the DMF;
  • develop data management policies and procedural documents;
  • establish a data inventory;
  • assess the impact and risk to the organization using different impact categories if data is compromised;
  • design and implement risk-based controls that are commensurate with the potential impact of compromised data based on the data lifecycle; and
  • monitor, measure, analyze and evaluate the implemented DMF components to keep it updated and optimized.

MCCs are model contractual terms that can be used in agreements between organizations and businesses operating in ASEAN member states that involve the transfer of personal data across borders. While MCCs are primarily designed for intra-ASEAN flow of personal data, these clauses can also be adapted for intra-country business-to-business transfers within ASEAN member states or transfers to non-ASEAN member states. ASEAN.

The MCCs include two sets of contractual clauses to cover situations involving controller-to-contractor handover and controller-to-controller handover. These clauses, which are meant to be the minimum standards, set out the basic responsibilities, required personal data protection measures and related obligations of the parties based on the principles of the ASEAN Framework on Personal Data Protection (2016 ) and may be adapted and modified in accordance with any specific requirements of national legislation.

The DMF and MCCs are developed for voluntary adoption by ASEAN member states and organizations operating therein and are therefore non-binding. However, organizations and businesses are encouraged to adopt the DMF and MCCs as they are essential resources and tools to use in data-related operations to build trust, transparency and accountability with business partners and consumers and to comply with data protection standards and requirements of foreign customers in addition to ensuring a level of protection and backup comparable to data held by organizations and businesses.

As Malaysia has adopted DMF and MCC, organizations and businesses with digital and data-driven operations must consider the need to develop appropriate and robust data processing and management systems documented in the form of policies. or review and update their existing policies. taking into account the guidance provided in the DMF to ensure that adequate data security is in place. It is also important for multinational companies and organizations dealing with cross-border transactions to incorporate and adapt the MCCs into their agreements with appropriate modifications subject to Malaysian laws to ensure that any transfer of personal data across the border is completed. in a manner that is consistent with applicable regulations. legal requirements in addition to performing due diligence on other parties, including service providers, business partners, and customers, to ensure they comply with MCC requirements.