Month: March 2014

PDPA Starter Pack Samples

Since we launched our PDPA services last week, we have received multiple calls/emails on the PDPA Starter Pack Documentation. It’s true that we generally do not include support for the documents (hence the very low cost), but we ended up doing it anyway because we just can’t help ourselves.

Anyway, we’ve decided to provide some samples on how some of these documents look like. We’ve actually been doing corporate policies for years, as part of our ISO27001 or PCI-DSS implementation, but for PDPA, we did come up with some new ones to address the specifics of PDPA.

We generally break our policies structure into tiers which is consistent to the document hierarchy of ISMS with a few changes. First tier policies are in general where other standards can refer to, and itself can refer to lower tiers for more granular instructions. In this case, we have the Personal Data Policy. The information security policy can also be on this tier, but in this case, we put the security policy and other policies on tier 2, where the Personal Data Policy reference to. Under this arrangement, changes can be made for instance in a Tier 2 policy, without changing in Tier 1, because Tier 1 only reference and point to the corresponding policy in Tier 2 for details. Management of policies and updates now become easier. Tier 3 will be documents, such as access forms, change forms etc.

Other companies can also incorporate into their own existing structure of documents, depending on the needs. Every document also has clearly marked areas for user input, as well as comments at the side for further instructions or references to the section in the PDPA document or/and the subregulations. All policies and standards will be in word format for editing purposes.

You can download the samples here, that consists of the README files and 2 policies and 2 documents. These are incomplete documents as a sample, but it should give you an idea how is it like for the starter pack.

PDPA Samples Starter Pack – DOWNLOAD!

As always, if you have any questions, feel free to drop us a note at




Personal Data Protection Act Products

It took us a while to work this out. We started developing a suite of products to address PDPA concerns of our clients back in late 2012. Aside from developing with our colleagues in UK and India (who have experience with personal data protection acts of their own for years), we have also engaged discussions with agencies like Cybersecurity. Of course, we have also had legal firms partnering with us over the course of the development, but we wanted our products to be practical and operational, not catered to legal department, but to whichever department that needed to implement these.

Over the past months, we have met with the Personal Data Protection Department to find additional clarity, culminating in a public joint awareness workshop between PKF and PDP Department on the 25th of February 2014.

Over 2013 and early 2014, we have refined these and decided to roll out different packages to cater to different requirements of our clients. PKF, in reality, isn’t the big 4. We don’t have multi billion dollar clients (well, we do, but not many), and in this reality, most of our clients, even the bigger ones are extremely cost conscious. Hence, all our awareness talks including the one we jointly organised with the Personal Data Protection Department, are free of charge.

Hence, I was sitting at a meeting with a customer back in 2013, and she mentioned that I should think of a tiered product: Basic, Intermediate and Advanced when it came to PDPA. As this was a fairly new Act, it would be best to try to get everyone on board at the lowest cost possible.

Hence, starting last week, we’ve launched our PDPA suite of services:

1) Starter Package

This is for customers to “do it themselves”, with the basic document templates required based on the Personal Data Protection Act 2010 and the current subregulations. All that is required is to edit these templates. Implementation guidance is only from the policies, and the organisation will have to implement on their own and the responsibility of providing evidence of implementation of controls is entirely from the organisation. We won’t be verifying or validating any of the controls, as this is only on documentary level. This is a good starter package to immediately address the key PDPA issues from a documentation perspective. This will include any updates of code of practices we will get from time to time from the PDP Department.

2) Checklist Package

This includes everything in Starter, as well as our Checklist, which had been developed and discussed with government agencies. The Checklist, which covers all 7 principles in easy to understand explanations also maps to the current ISMS/PCI/COBIT standards, for the ones more inclined to technical audit. Using the checklist as implementation guidance, we expect most of our customers to be able to address most of the PDPA concerns in this package. Again, we cannot verify or validate the implementation or take any responsibility in the results, but in this instance, the roadmap for PDPA compliance is provided, and organisations to follow the checklist. Offsite support provided.

3) Assessment Package

This includes everything in Checklist, and also onsite gap assessment; scope definitions; implementation advisory, training and follow up assessment.This would be for customers looking for a comprehensive solution to address all of PDPA principles. Using this baseline, this could further launch the organisation into other compliance projects such as ISO27001 etc.

4) Custom package

This typically is for organisations who want us to do the implementation, instead of just assessment and advisory. This could be to locate resources onsite for the period of the project, to do project management; to do technical implementation etc.

The current packages are priced as follows:

We’ve purposedly priced Starter as such so that all our clients will take up at least to do the policies addressing PDPA. That itself is reasonable enough to get started and to have something. Even our assessment package is almost 50% lower than our typical IT Audits, again to hopefully have more clients consider addressing PDPA as opposed to just ignoring it.

We will be publishing the products more formally through the official website, but for now, do contact us at or call +603 6203 1888 for questions or samples of PDPA policies.

PKF Avant Edge PDPA Workshop with Dr Zainal Abidin Sait

On the 25th of February, PKF Avant Edge, along with the MAD Incubator organised our largest Personal Data Protection Act (PDPA) workshop. This was our 8th workshop on PDPA starting from November 2012, and our second one that was done with the MAD Incubator in the MSC Technology Commercialisation Centre in MMU, Cyberjaya. We had almost 200 people registered for this event, in a large part due to our speaker, Dr Zainal Abidin Sait, who is the Deputy of Director General of Personal Data Protection Department under the Ministry Communication & Multimedia. In other words, to many people, PDPA from the horses mouth.

It took some time for us to organise this, in part due to the festival season in January and February, but mainly because Dr Zainal was a very busy man. Even when we took the time to meet him in his Putrajaya office in the KKMM building to confirm the agenda with him, I only had him for 10 minutes or so. It would have been shorter, but I suspect he was polite enough to give us a bit more time seeing that we came all the way to see him over something that could have been done by email. I was, in many aspect, extremely old school in this regard. 10 minutes face to face was worth a 100 emails back and forth.

The main reason I wanted to organise this workshop was to shape it like a Q&A session. Aside from being the speaker for the past 7 workshops we’ve done (all for free–I see it as part of our CSR), I’ve attended many PDPA talks. In most of these cases, they were conducted by mainly legal practitioners. Very experienced ones. And they were very good, and they went through the act very thoroughly, dissecting it with appropriate legal pizazz that the Act deserves. But like me, they weren’t enforcers. Our interpretation is through our own lenses, and try as we might, we carry some bias, and probably some misunderstanding of the Act itself. This was exacerbated by experiences I heard from other clients about the stringent requirements of the Act, set forth by their company lawyers. Again. They are not enforcers, and legal practitioners, bless their soul, would rather err on the side of caution. So what happened, is that some of my clients are so exasperated at the Act, that requires them to get people to sign off consent when they pass Parkson gift vouchers to them. Yikes. Time to get the horse on board.

So I took the first session and went through a few illustrations of data breach for the audience. Basically, I used this illustration from Aside from that, I demonstrated live a social trawler called Maltego by Paterva. We use this tool a lot in our penetration testing and social engineering services for our clients. This basically trawls the internet looking for publically available information about an individual. Suffice to say, these demonstrations of data mining was to set the context for Dr Zainal to work his magic. I went through the 7 principles quickly, had the coffee break session and then from around 10:30 am to 12:30 noon, Dr Zainal engaged the audience in his very frank dissection of the PDPA.

He only used one page of PDF. He advised us to read the act in Bahasa Malaysia. He broke down a lot of misconceptions of the Act, as well as who and what are in scope and not in scope. In all, his simple, straightforward talk on PDPA was the best I’ve heard. It was down to earth, easy to understand, and invited conversations and engagement with the people. It wasn’t someone holding a hammer over your head, it was a person who genuinely wanted to help. And so understandably, the questions started flowing in. He deftly answered most of them, in others, I only helped in rewording to make it clearer. It is a HUGE difference to have Dr Zainal speak compared to legal or IT practitioners. We are limited to how we see the act. He is not.

We managed to give him a nice speaker’s gift from PKF Avant Edge, a Royal Selangor dish with a thank you note engraved upon it. I hope there will be more sessions that we can arrange with him again. As far as first time speaker goes for us, Dr Zainal was a smashing success. Thank you, Dr.

My Slides can be downloaded here.

Dr Zainal didn’t use any slides, so if you missed his presentation, well…we’ll need to arrange another one!

© 2020 PKF AvantEdge

Theme by Anders NorenUp ↑