We had the privilege recently to conduct our PDPA Assessment Training to Tropicana Medical Centre – to almost 40 people over 2 sessions. We touched on several topics, including a live demonstration of using software for hacking and personal data collection through the internet. Furthermore, we went through the Personal Data Protection Act – and more importantly how to implement into companies.
Each companies have different implementation – each has different DNA and risk profile. The important thing is not to just use PDPA Act as a blanket implementation, but tie the requirements of PDPA (or the spirit of it, as we say) to known standards – the General Accepted Privacy Principles (GAPP) from AICPA and the Health Insurance Portability and Accountability Act (HIPAA), as well as the well known ISO27001 and PCI-DSS for IT controls.
IT Controls are generally important to the implementation of PDPA due to the fact that in most companies, information has been digitised and stored in some database or some logical storage (as opposed to metal cabinets as days of old).
Aside from those, we went through a very useful demonstration of Alien Vault, as a way to control assets, secure the network and monitor traffic to ensure information is not breached.
We recently provided PDPA training to a public listed company. Unlike the normal awareness training or the dragging-through-the-entire-Act training that we are accustomed to, we have made this specifically for internal auditors on how to build an audit program surrounding PDPA (utilising AICPA GAAP and several other programs), as well as demonstration of some tools to hack/gather personal information and also some tools to prevent/monitor people hacking/gathering personal information.
The full training program is here
Assessing Compliance of PDPA in Your Organization
We are now a HRDF certified training company.
We have several training that is SBL claimable that includes training materials and certificate of attendance:
1) PCI-DSS Foundation Training (PCIP Led, QSA developed materials), certificate of training from PKF and joint QSA partner Control Case International
2) PCI-DSS Implementor Training (PCIP Led, QSA developed materials), certificate of training from PKF and joint QSA partner Control Case International
3) GST Malaysia Training (Led by RMCD Certified Trainer)
3) Introduction to Technology Audit (Led by Certified Auditor and Certified Information Security Professional – CISA,CISSP)
5) Project Management Level 1: Foundations (Led by Project Management Professional Certified)
6) Project Management Level 2: Advance (Led by Project Management Professional Certified)
7) Personal Data Protection Act Training (Led by Certified Auditor and Certified Information Security Professional)
Stay tuned for more details. Our training site has been updated at http://www.pkfavantedge.com/training-programs/
If you need more information, please send your enquiries to firstname.lastname@example.org.
Almost a year in since PDPA was enforced last year, we are still faced with slow adoption by many of our clients. We are still getting questions on whether they need to ‘register’ or not, and if they don’t, they assume they are exempted from the Act.
Registration and compliance are two different matters. Registration applies to the 11 categories of industries, while compliance applies to every organisation dealing with personal information for commercial purpose, including HR.
As for easier reference, the data user classifications and details, once more, as follows:
||Licensees under the Communications and Multimedia Act 1998
Licensees under the Postal Act 2012
|Banking and Financial Institutions
||Banks and investment banks licensed under the Financial Services Act 2013
Islamic banks and international Islamic banks licensed under the Islamic
Financial Services Act 2013
Development financial institutions under the Development Financial Institution Act 2002
||Insurers licensed under the Financial Services Act 2013
Takaful operators and international takaful operators licensed under the
Islamic Financial Services Act 2013
||Licensees, and holders of a certificate of registration of a private medical clinic or a private dental clinic, under the Private Healthcare Facilities and Services Act 1998
A body corporate registered under the Registration of Pharmacists Act 1951
|Tourism and Hospitality
||Persons carrying on or operating tourism training institutions, licensed tour operators, licensed travel agents or licensed tourist guides under the Tourism Industry Act 1992
Persons carrying on or operating a registered tourist accommodation premises under the Tourism Industry Act 1992.
||Malaysian Airlines (MAS), Air Asia, MAS Wings, Air Asia X, Firefly, Berjaya Air and Malindo Air
||Private higher educational institutions registered under the Private Higher Educational Institutions Act 1996
Private schools or private educational institutions registered under the Education Act 1996
||Licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993
||Companies or persons in a partnership carrying on businesses in connection with legal, audit, accountancy, engineering or architecture services ;
Companies or persons in a partnership conducting retail dealing and wholesale dealing as defined under the Control Supplies Act 1961;
Companies or persons in a partnership carrying on the business of a private employment agency under the Private Employment Agencies Act 1981
||Licensed housing developers under: the Housing Development (Control and Licensing) Act 1966; the Housing Development (Control and Licensing) Enactment 1978, Sabah; and the Housing Development (Control and Licensing) Enactment 1993, Sarawak.
||Tenaga Nasional Berhad, Sabah Electricity Sdn Bhd, Sarawak Electricity, Supply Corporation, SAJ Holding Sdn Bhd, Air Kelantan Sdn Bhd, LAKU Management Sdn Bhd, Perbadanan Bekalan Air Pulau Pinang Sdn Bhd, Syarikat Bekalan Air Selangor Sdn Bhd, Syarikat Air Terengganu Sdn Bhd, Syarikat Air Melaka Sdn Bhd, Syarikat Air Negeri Sembilan Sdn Bhd, Syarikat Air Darul Aman Sdn Bhd, Pengurusan Air Pahang Berhad, Lembaga Air Perak, Lembaga Air Kuching and Lembaga Air Sibu.
Well, this is the first announcement to give us an indication that the PDP Department is intent to move forward in the enforcement.
Basically, they are saying, the time for excuses is over. Now, its time to give a good reason why it took so long to register.
To check if you are under registration, please use the table that we provided in our client notification we sent in 2013.
PDPA Client Notification – PKF Avant Edge