A lot of our clients have questioned us on how to register for PDPA, which seems to be the biggest concern at the moment.
Firstly, find out if you are in the list of company class to be registered:
Client Notification for PDPA – PKF Avant Edge
Then once determined, follow the flow chart as below
Ta – da! It’s pretty straight forward. But do make sure to do so before the 15th of February!
Here we are finally. After months of speculations, the Malaysian Personal Data Protection Act (PDPA) came in force last week on November 15, 2013. To be honest, we weren’t really expecting this, since deadlines after deadlines have gone by. We have been doing our workshops since December last year, and only had a vague prediction that 2014 could be the year it is enforced after it missed the August deadline this year.
Well, surprise, we are now in a new era of data privacy and protection, and companies and individuals will be going head to head over the new currency: Information.
For the benefit of those who haven’t attended any of our workshops, here’s a summary of the 7 principles of the Act:
1) General Principle – Consent is key for this principle. Any information collected must only be used for the purpose it was given. For instance, I am giving you my information for you to process my housing loan. The next thing I know, your company is trying to sell me frozen yoghurt. Not nice. Additionally, don’t collect more than what is needed for that purpose. If you are collecting for a lucky draw, you don’t technically need to know his Credit Card number, do you?
2) Notice and Choice – My favourite. This constitutes a privacy statement at data collection points. You need to tell data subjects the nature of the data processed, purpose, rights and obligations of subject and of course, in both Malay and English. Yes you need both languages. The data subject should have a record or copy of the agreed notification. Time to be creative.
3) Disclosure – Only disclose what the data subject has consented during collection and also maintain a disclosure list to third parties
4) Security – This is where we generally come in directly. While the others constitutes a lot of process changes, this principle simply states, “practical steps” must be taken to protect information from misuse, loss, modifications, destruction etc. Basically the entire scope of Confidentiality, Integrity and Availability. Unfortunately, breach notification and safe harbour principles are not included in the our PDPA.
5) Retention – Once the data has fulfilled its purpose, it should not be further retained.
6) Data Integrity – Steps must be taken to ensure personal data is accurate, complete, not misleading and updated to serve its purpose(s).
7) Access – Data subject must be able to access data held by the data user. The channel to correct inaccurate, misleading data must be provided to the data subject.
Additionally, PDPA has certain restrictions as follows:
a) Sensitive Personal Data – certain types of data (political opinions, religion, physical and mental health etc) cannot be processed without explicit consent. I suppose I won’t be seeing any more forms with “Religion” anymore. I always fill in “The Force” for fun, anyway.
b) Cross Border – This is a major one. Personal data cannot be transferred to a place outside Malaysia unless the minister specifies or individual has consented. In light with cloud computing, questions will arise if we store our customer CRM in the cloud like AWS or even Google Docs. How will this affect us?
c) Explicit rules for Direct Marketing – Direct marketing, to sell and solicit products and services, is affected the most. Now data subject can ask marketer to remove and not process the data anymore for direct marketing. There is a jail term of 2 years and RM300K fine.
d) Registration – Certain industries are required to register. For those not listed, well, we don’t need to register, but the Act still covers us!
e) Codes of Practices – In the near future, data user forums will be formed, where codes of practices/guidelines for compliance will be created. The commissioner still has the final say on the effectiveness of these codes of practices. This should be interesting, as in PKF we already have a special audit for Personal Information Management, as well as a product to specially scan for certain types of personal information in our client’s network.
In conclusion, we always knew this day would come so we are not overly surprised. We have given hundreds of hours of free workshops over last year and I hope, if you are one of them who received, that it has spurred you on to compliance even before this announcement.
Because 3 months is an awfully short time for compliance. No better time than now to get started! Contact us at avantedge@pkfmalaysia.com or +603 6203 1888 if you require more information on our Personal data services, scans and workshops.
Has sort of ended.
Over the past few weeks, we’ve done a number of workshops on Personal Data Protection Act, and invariably, the questions are more than answers. Some workshops with C-Levels went to levels of near hostility as if we were actually the perpetrators of said act; other workshops went relatively well, and some workshops had only half hour of airtime before the questions came in like a flood of water.
Here’s the deal: We don’t know any much more on the act except for what is given.
We partnered with a law firm and they dispense their legal opinions, but at the end, the act is still an act. It’s a legal document. It is what it is. It was quite funny sometimes that our workshop attendance actually thought we were lawyers promoting the act…and that’s why the next workshop we do (which won’t be any for some time), we’re going to dress down in jeans and t-shirt that says “The Geek shall Inherit the Earth.” We’re tech guys, and how we came about this Act was during our compliance assessments where regulatory compliance is the highest risk and control to address. And also the fact that aside from the first two principles, Technology plays a vital role to facilitate compliance for the Act, especially in the principle of Security and Retention.
So anyways, it’s been an extremely hectic few weeks. If we were a full time training company, it would be fine. Except we’re not. We have projects running here and there and everywhere, and we have to juggle all these. I was at Sarawak giving a talk on Cybercrime during the IIAM’s Corporate Fraud Conference 2013, and I managed to snap this shot in:
It’s nice to see your name up there once in a while. It was a good turn out, although I only touched briefly on PDPA, it still managed to garner questions after my presentation. Many people are a little worried about the Act and they have all the reason to be. But if we prepare ourselves now, do the gap, have a strategy to address it, and put in place controls to address the obvious low hanging fruits first, and address the gray areas later…we’ll be ready.
For the most recent PDPA presentation I did with the Incubator at MSC, here’s the link to it.
http://www.pkfmalaysia.com/publications/PDPA%20Presentation%20v2.0_MAD_Web.pdf
This might be what, in the near future, we- the hapless victims of thousands of unsolicited phone calls and emails and SMSes- can say to the perpetrators who haunt our dreams with midnight messages and ghostly voicemails.
Here’s the fact:
1) In my SMS inbox, I have three dozen messages from entities I don’t know over the last week. Half of them from politicians wishing me a good year of the Snake. Others from banks. Others from Astro. And I just had one telling me there’s an MACC stand up comedy coming up. What. The.
2) I have received some ridiculously timed phone calls. One came a few days back when Unifi was facing a nationwide outage, and which had all the TM support coming back from their homes to fix it, given that they had a one year downtime policy, with the commitment to give updates to customers every 500 hours of downtime. Yes, I am being sarcastic. Unifi is a good intention and we appreciate it, but there’s still a lot of holes to plug for that service. While halfway through one of the worst Unifi outage in the history of their short existence, I received a chirpy call from a woman identifying herself as a representative of TM. I immediately thank the gods for such superb, initiative from TM: to call me to apologise and to have my Unifi fixed immediately, without me lodging a call (since it was not possible due to Unifi support line also being down). Instead the chirpy woman started to ask me if I wanted to upgrade my Unifi package to better ones. I asked her if she was aware there has been a major outage and the entire world was tweeting #unifi and trending to #garbage. She happily responded she had no idea. I wish we could do an audit on Unifi support based on ISO20000 or ITIL. I bet we could add some value there.
3) How many emails have we received from companies we have unwittingly gave our information to? I am not talking about those health hormones, Nigeria scams, appendage enlargement junk email. I am talking about unsolicited marketing material from restaurants we have visited, companies we have met along the way etc. Admittedly we have also done such things (updating our customers)…but I have received piles and piles of emails and trilobytes of documents. It’s time for this madness to end.
So, Personal Data Protection Act? We’re not going to go through the 7 principles here. Many other websites have articulated it well enough. The question here is, if I have a company and we collect data as part of our CORE business, are we screwed?
No, you’re not. But you have some work to do.
You see, the PDPA is not telling you NOT to collect personal data. It’s governing the way you do it. It’s setting up rules, like putting a referee in a previously free for all football game. The good news is that, the rules are not extremely rigid or specific. So there’s what we unprofessionally call, wriggle room. Most consulting companies have fancy terms for this, but at PKF, we are what we term a coffee-shop jargon company. We don’t like to throw in big terms that can use an easy word to describe.
There are numerous ways to comply to PDPA, which we will touch on later. We provide IT and legal assistance for PDPA compliance. But the first thing you can do for yourself is this: do you have any policies and procedures governing your business processes? If the answer is no, then there’s where you will generally need to begin. A documented approach on collecting, sharing and storing data is essential for compliance. If you already have, well, you’re on your way to compliance already even before you begin.
Let the new era of Data Protection begin!
© 2024 PKF AvantEdge
— Up ↑