InsiderTAPS (22 January 2021)
Ten Practical Steps to Data Protection Compliance
Download PDF File
In this information age where data is growing exponentially and becoming more readily accessible, it has been recognized as one of the most valuable assets for businesses of all sizes, from a small startup to a global conglomerate. It is seen as a invaluable tool for decision-making, improving products and services and increasing customer satisfaction which will in turn maximize profitability. With the increase in high-profile incidents in Malaysia involving leaks of company data and customer data in recent years, the need for data protection and privacy is becoming increasingly important for businesses and organizations. Examples of some prominent data breaches that have hit the headlines in the past three years include the leak of up to 50,000 Astro Internet Protocol TV customers’ details such as names, addresses, mobile numbers and portal ID numbers, that were found to be offered for sale on Lowyat.net1, the breach of Astro customers’ identity card data, with names, identity card numbers, date of birth, gender, race and address being made public2, and the odious disclosure of 30 million Malindo passengers’ details posted in online forums and offered for sale on the dark web3. A data breach can have a severe impact on the reputation of a business and organization and may result in loss of customers and hefty penalties imposed by the regulators.
Practical steps to compliance
In Malaysia, the Personal Data Protection Act 2010 (“PDPA”) which was enacted to regulate the processing of personal data of individuals (“data subjects”), places significant obligations on businesses and organizations in the use, handling and management of the data. This article identifies and discusses ten key practical steps to be taken by an organization to robust PDPA compliance.
advising the management and staff on appropriate measures to ensure compliance with the PDPA;
formulating, implementing and updating data protection procedures, processes and policies across the organization;
handling requests, inquiries and complaints from data subjects in respect of their personal data;
cooperating with regulatory bodies during investigations of complaints, inquiries and inspections.
Appointment of person responsible for compliance
Organizations should appoint an employee of managerial level who has the knowledge and has been well trained (“appointed person”) to monitor, oversee and demonstrate data protection compliance. The appointed person will be the primary contact point for the organization on all matters concerning data protection and privacy, which include the following:
banking and financial institution;
tourism and hospitalities;
Registration of data user
Organizations that fall within any of the following classes of data users must be registered with the Personal Data Protection Commissioner (“Commissioner”):
An application for registration of data user can be made via online on the official website of the Personal Data Protection Department (https://www.pdp.gov.my/jpdpv2/?lang=en), accompanied by the prescribed registration fee ranges between RM100 and RM400, depending on the type of business.
The registration is valid for 24 months from the date the application is approved and must be renewed not later than 90 days before the expiry of the registration with payment of the prescribed renewal fee.
Audit and gap analysis
As an initial step, it is recommended for organizations to conduct a data protection audit of their practices and procedures in processing personal data to identify areas of non-compliance and potential non-compliance and gaps requiring remediation. In carrying out the audit, it would be helpful to document the type of data being processed, both manual and electronic, with data flow diagrams detailing where the data is collected, how it is used, with whom it is shared, where it is transferred to, how it is stored and maintained and how it is disposed of.
whether there is a legal basis for each processing (including disclosure and cross-border transfer) of personal data;
whether the personal data being collected and retained is minimal and necessary;
whether necessary consent is obtained from data subjects whose personal data is being processed;
whether adequate notices are given to data subjects whose personal data is being processed;
whether there is a written contract governing the activities of data processors;
whether adequate security measures are in place to protect the personal data;
whether there is a retention period and disposal timeline for each type of personal data; and
how data subjects may exercise their rights conferred by the PDPA.
Formulation of corrective action plan
Following the audit, organizations may assess and analyze what actions and changes need to be implemented to address and close the gaps of non-compliance identified, and thereafter determine and formulate a corrective action plan. The corrective action plan should take into consideration the following issues:
Implementation of data protection procedures and processes
It is pertinent to review to ensure detailed and robust procedures and processes involving personal data are in place and compliant with the PDPA. These may include data collection processes, data security procedures, data retention and disposal procedures data subject requests handling procedures, marketing procedures and data breach handling processes.
Documentation of policies
All data protection procedures and processes must be documented in a data protection policy, to be supplemented by a security policy and data retention policy, setting out the organizations’ obligations under the PDPA as well as processes, procedures, standards and best practices in processing, handling and managing personal data. The policies should be approved by the management and effectively communicated to all staff to enable them to better understand their obligations and the requirements under the PDPA.
Review of privacy notices and standard forms
Existing privacy notices will need to be reviewed and updated to ensure all purposes for processing data are adequately covered and all necessary information prescribed under the PDPA are properly included. A fresh notice or a supplemental notice must be given to data subjects before their personal data are processed for any new purposes. All privacy notices must be provided in both national (i.e. Malay) and English languages as required under the PDPA.
Data collection forms should also be reviewed to ensure that only minimal amount of data that is strictly necessary is being collected and processed by organizations.
Review of contracts
It is imperative to put in place a contract in writing with each of their data processors under which the data processors agree to act only on instructions from them. Such contract will need to be reviewed and updated to reflect the data processor’s obligations under the PDPA. Whilst the PDPA does not specify any mandatory terms to be included in the contract, the contract should ensure that the organizations have a right to audit the data processor to ascertain compliance with the data protection requirements of the contract and that the data processor agrees to comply with data security obligations equivalent to those imposed on the organizations under the PDPA.
Trainings should be provided to staff across the organizations to educate them on the processes, procedures, standards and best practices in processing, handling and managing personal data and to raise their awareness of the PDPA. The training program should focus on the roles and responsibilities of the staff as well as the risks related thereto. Such trainings should be provided on a regular basis twice a year to refresh and update staff’s knowledge of data protection.
the record of consent obtained from data subjects;
the record of written notice issued to data subjects;
the list of disclosure to third parties;
the security policy;
the record of data retention and disposal;
the record of updates and amendments to personal data; and
all other information and documentations relating to processing operations and compliance action.
In order to demonstrate compliance with the PDPA, organizations must keep and maintain a record of any application, notice, request or any other information relating to personal data that has been or is being processed, and all information and documentations relating to processing operations and compliance action so that they may be produced to the Commissioner upon request. During an inspection, the Commissioner may request for the following information and documents:
Consequences of non-compliance
Businesses and organizations that fail to comply with the requirements under the PDPA may face criminal penalties or administrative sanctions which are discussed below.
The Commissioner is empowered to conduct an inquiry or investigation on its own initiative or upon receiving complaint of an alleged contravention of the PDPA. Where, following the investigation, the Commissioner decides that the PDPA has been contravened, the Commissioner may serve an enforcement notice, specifying, amongst others, the breach, the steps to be taken to remedy the breach within a certain period and directing, if necessary, the relevant data user to cease processing the personal data. Failing to comply with the enforcement notice may incur a fine of not exceeding RM200,000 or imprisonment for a term of not exceeding two years or both. The Commissioner may also revoke the registration of a data user.
Non-compliance with the PDPA also amounts to an offence which attracts a fine or a term of imprisonment or both. Depending on the nature of the offence, it may lead to a fine between RM100,000 and RM500,000 or an imprisonment of one to three years or both even though certain offences are compoundable. For instance, a breach of the seven Personal Data Protection Principles may incur a fine of not exceeding RM300,000 or an imprisonment for a term not exceeding two years or both.
Further, any person who at the time of the commission of the offence was a director, chief executive officer, chief operating officer, manager, secretary or other similar officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of such body corporate or was assisting in such management:
may be charged severally or jointly in the same proceedings with the body corporate; and
if the body corporate is found to have committed the offence, will be deemed to have committed that offence unless, having regard to the nature of his functions in that capacity and all circumstances, he is able to prove that (i) the offence was committed without his knowledge, consent or connivance; and (ii) he had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence.
As data gains greater importance, data protection compliance program should be a top priority for businesses and organizations. Given the adverse consequences of non-compliance with the PDPA and the increased enforcement actions undertaken by the Commissioner, it is crucial for all organizations to fully grasp the requirements and obligations under the PDPA and potential impacts on their businesses. While significant amendments are poised to strengthen the effectiveness and practical implementation of the PDPA and in anticipation of the amendments being enacted, it would be sensible to consider and adopt the above key practical steps which will help to support and enhance data protection compliance program and to demonstrate compliance with the PDPA.
Lee Lin Li
T: +603 2050 1898
Chong Kah Yee
T: +603 2050 1831