Tag: personal data protection act

Personal Data Protection Act for Dong Zong


To kickstart the New Year, we spent two full days with The United School Committees Associations of Malaysia for the Personal Data Protection Act training. Which is really a mouthful to say, so we will go by its more well known alias, Dong Zong.

Now, this is a rather unique engagement, for the simple fact that both our lead trainers in PDPA do not speak a lick of Mandarin. The first is proficient in Malay (as he is Malay), the second (which is me) is proficient in English – although he is technically a Chinese. While I am Chinese by birth, my proficiency in language is as follows: English, Malay, Cantonese, German, Minionese, Mandarin. That is to say, I can talk in German and Minionese far better than I can talk in Mandarin. For those who are wondering, Minionese is the official language used by the Minions, the yellow, annoying creatures that so love bananas and my sons so love watching.

Thankfully, we had another colleague who was proficient in Mandarin, but needed a bit of update on the subject, as he was from our technical deployment team for SIEM. So we had a bit of crash course for both. I had to do the introductions, demo and clarifications in broken mando-canto-eng-nese, and he had to crash course the updated PDPA training.

We can usually do the training quite comfortably, including the technical demonstrations (which consist of us actually searching for personal information on the internet during the training itself, demonstrating how easy it is if you know which tools and how/where to look). But this was made infinitely harder because of my lack of command in the language. To put it simply, it was like wrestling with a 300 pound catfish or a giant python. You know what to say in English, but the translation facility in your brain is broken and you just can’t get it out of your mouth and what ends up coming up is meaningless dribble, which my 2 year old son would probably appreciate, but not a roomful of teachers and educationists…who are championing the Mandarin language and the progressive advancement of the Chinese community as a whole. It would be great if I told them I was actually Middle Eastern or Eskimo, then they won’t expect so much from me – but I look like a total Chinese, so there’s no hiding the complete embarrassment of not being able to speak in Mandarin.

To Dong Zong’s credit, they did take it in stride, and our Mandarin-speaking colleague performed admirably (I think, since I did not understand him) and at the end of the two days, we were very well appreciated because somehow between the both of us, we got the job not just done, but done with great feedback and participation from the group. There were some really excellent Q and A time, which I had to answer in English/broken Cantonese and got translated properly. We even had a chance to go through Dong Zong’s implementation of PDPA and did a impromptu, live commentary on the areas to improve in privacy notice and other policies.

For a non-legal, practical way to implement and assess your company on PDPA, please drop us an email at avantedge@pkfmalaysia.com. We have done a lot of practical training on compliance to PDPA, and taken a lot of good info from the PDPA Commission itself. Our content is based on the one we developed with the deputy commissioner of PDPA during the time when we worked together to deliver our training to companies in Cyberjaya. Over the years we have enhanced it with demonstrations, as well as updated with the latest development of Malaysia’s Personal Data Protection Act.

PDPA Data User Classifications

Almost a year in since PDPA was enforced last year, we are still faced with slow adoption by many of our clients. We are still getting questions on whether they need to ‘register’ or not, and if they don’t, they assume they are exempted from the Act.

Registration and compliance are two different matters. Registration applies to the 11 categories of industries, while compliance applies to every organisation dealing with personal information for commercial purpose, including HR.

As for easier reference, the data user classifications and details, once more, as follows:

Class Description
Communications Licensees under the Communications and Multimedia Act 1998

Licensees under the Postal Act 2012

Banking and Financial Institutions Banks and investment banks licensed under the Financial Services Act 2013

Islamic banks and international Islamic banks licensed under the Islamic

Financial Services Act 2013

Development financial institutions under the Development Financial Institution Act 2002

Insurance Insurers licensed under the Financial Services Act 2013

Takaful operators and international takaful operators licensed under the

Islamic Financial Services Act 2013

Health Licensees, and holders of a certificate of registration of a private medical clinic or a private dental clinic, under the Private Healthcare Facilities and Services Act 1998

A body corporate registered under the Registration of Pharmacists Act 1951

Tourism and Hospitality Persons carrying on or operating tourism training institutions, licensed tour operators, licensed travel agents or licensed tourist guides under the Tourism Industry Act 1992

Persons carrying on or operating a registered tourist accommodation premises under the Tourism Industry Act 1992.

Transportation Malaysian Airlines (MAS), Air Asia, MAS Wings, Air Asia X, Firefly, Berjaya Air and Malindo Air
Education Private higher educational institutions registered under the Private Higher Educational Institutions Act 1996

Private schools or private educational institutions registered under the Education Act 1996

Direct Selling Licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993
Services Companies or persons in a partnership carrying on businesses in connection with legal, audit, accountancy, engineering or architecture services ;

Companies or persons in a partnership conducting retail dealing and  wholesale dealing as defined under the Control Supplies Act 1961;

Companies or persons in a partnership carrying on the business of a private employment agency under the Private Employment Agencies Act 1981

Real Estate Licensed housing developers under: the Housing Development (Control and Licensing) Act 1966; the Housing Development (Control and Licensing) Enactment 1978, Sabah; and the Housing Development (Control and Licensing) Enactment 1993, Sarawak.
Utilities Tenaga Nasional Berhad, Sabah Electricity Sdn Bhd, Sarawak Electricity, Supply Corporation, SAJ Holding Sdn Bhd, Air Kelantan Sdn Bhd, LAKU Management Sdn Bhd, Perbadanan Bekalan Air Pulau Pinang Sdn Bhd, Syarikat Bekalan Air Selangor Sdn Bhd, Syarikat Air Terengganu Sdn Bhd, Syarikat Air Melaka Sdn Bhd, Syarikat Air Negeri Sembilan Sdn Bhd, Syarikat Air Darul Aman Sdn Bhd, Pengurusan Air Pahang Berhad, Lembaga Air Perak, Lembaga Air Kuching and Lembaga Air Sibu.

Our 8th Personal Data Protection Act Workshop on 25th February

We will be conducting our 8th free Personal Data Protection Act (PDPA) workshop on the 25th of February (and possibly our last).

The history of our workshops basically started in late 2012 when a small number of clients wanted to know more about the Personal Data Protection Act. At that time, we were doing a number of ISO27001 consultation, and of course, one of the main domains was compliance to regulation, and PDPA came into the picture. Our first workshop was to the Malaysian Software Testing Board (MSTB) to their upper management. Since then, we have conducted 1 workshop in our premise in Mont Kiara, 1 in Mines Hotel and 3 more in our customer’s premises. Some of these sessions we partnered with legal firms (who charged), but for clients who preferred just awareness we did it for free. The idea was to do it for 3 months from December 2012 to February 2013, since these were low activity period for us. However, once public got wind of it, we were being requested almost every month by different companies, until we had to organise a mass workshop with the MAD incubator to cater to these requests.

These will be our second collaboration with MAD incubator and now as we look forward to implementation rather than awareness, we can truly say the one year plus of workshops have given us a lot to learn on PDPA, even as we were lead speakers during the workshops. We will be having the deputy commissioner this time around, and we will for once take a secondary speaker and moderator role to the workshop.

We opened registration and in two days, we were maxed out. In fact, our premise is oversubscribed and we had to turn down a few more requests. Hopefully we will be able to help address these concerned parties in the future. Otherwise, just write in to avantedge@pkfmalaysia.com and we will sort out your questions as best as we can.

Registering for Personal Data Protection Act (PDPA) Malaysia

A lot of our clients have questioned us on how to register for PDPA, which seems to be the biggest concern at the moment.

Firstly, find out if you are in the list of company class to be registered:

Client Notification for PDPA – PKF Avant Edge

Then once determined, follow the flow chart as below

Registration Flow Chart

Ta – da! It’s pretty straight forward. But do make sure to do so before the 15th of February!



Quit Calling Me or I will PDPA you!

This might be what, in the near future, we- the hapless victims of thousands of unsolicited phone calls and emails and SMSes- can say to the perpetrators who haunt our dreams with midnight messages and ghostly voicemails.

Here’s the fact:

1) In my SMS inbox, I have three dozen messages from entities I don’t know over the last week. Half of them from politicians wishing me a good year of the Snake. Others from banks. Others from Astro. And I just had one telling me there’s an MACC stand up comedy coming up. What. The.

2) I have received some ridiculously timed phone calls. One came a few days back when Unifi was facing a nationwide outage, and which had all the TM support coming back from their homes to fix it, given that they had a one year downtime policy, with the commitment to give updates to customers every 500 hours of downtime. Yes, I am being sarcastic. Unifi is a good intention and we appreciate it, but there’s still a lot of holes to plug for that service. While halfway through one of the worst Unifi outage in the history of their short existence, I received a chirpy call from a woman identifying herself as a representative of TM. I immediately thank the gods for such superb, initiative from TM: to call me to apologise and to have my Unifi fixed immediately, without me lodging a call (since it was not possible due to Unifi support line also being down). Instead the chirpy woman started to ask me if I wanted to upgrade my Unifi package to better ones. I asked her if she was aware there has been a major outage and the entire world was tweeting #unifi and trending to #garbage. She happily responded she had no idea. I wish we could do an audit on Unifi support based on ISO20000 or ITIL. I bet we could add some value there.

3) How many emails have we received from companies we have unwittingly gave our information to? I am not talking about those health hormones, Nigeria scams, appendage enlargement junk email. I am talking about unsolicited marketing material from restaurants we have visited, companies we have met along the way etc. Admittedly we have also done such things (updating our customers)…but I have received piles and piles of emails and trilobytes of documents. It’s time for this madness to end.

So, Personal Data Protection Act? We’re not going to go through the 7 principles here. Many other websites have articulated it well enough. The question here is, if I have a company and we collect data as part of our CORE business, are we screwed?

No, you’re not. But you have some work to do.

You see, the PDPA is not telling you NOT to collect personal data. It’s governing the way you do it. It’s setting up rules, like putting a referee in a previously free for all football game. The good news is that, the rules are not extremely rigid or specific. So there’s what we unprofessionally call, wriggle room. Most consulting companies have fancy terms for this, but at PKF, we are what we term a coffee-shop jargon company. We don’t like to throw in big terms that can use an easy word to describe.

There are numerous ways to comply to PDPA, which we will touch on later. We provide IT and legal assistance for PDPA compliance. But the first thing you can do for yourself is this: do you have any policies and procedures governing your business processes? If the answer is no, then  there’s where you will generally need to begin. A documented approach on collecting, sharing and storing data is essential for compliance. If you already have, well, you’re on your way to compliance already even before you begin.

Let the new era of Data Protection begin!

© 2020 PKF AvantEdge

Theme by Anders NorenUp ↑