Client Success Story: MCIS Life

In this feature, we speak to Naomi Santhanasamy, Manager, Compliance of MCIS Insurance Berhad (MCIS Life) about the company’s data protection journey with Straits Interactive and the DPEX Network through the challenges and their resolution to stay committed and relevant in the ever-changing landscape of today. MCIS Life prides itself on being innovative in the insurance industry and delivering insurance solutions that cater to the needs of the Malaysian market. In light of growing customers and partnerships, MCIS Life steps up data protection measures.

Please share with our readers about the background of the company and what made the company arrive at the decision to start on its data protection journey.

MCIS Insurance Berhad (MCIS Life) is a pioneer life insurer in Malaysia since 1954, regulated by Bank Negara Malaysia, and a proud member of the Sanlam Group, one of the world’s biggest internationally active insurance groups, since 2014.

As part of strengthening our Information Governance efforts and heightened regulatory requirements in the area of managing personal data, we embarked on a journey of establishing an effective Information Governance and Management system. This decision was a combination of the company’s proactive measures to stay relevant whilst meeting regulatory needs. Apart from meeting regulatory needs, personal data is regarded as the next growth hack for organisations wanting to leverage on accelerated expansion strategies therefore addressing the governance part was a natural progression in the right direction.

Was a committee formed to tackle the data-protection journey? If so, which departments were involved?

As with most companies, we needed to plan how personal data collected from various sources was used so that it is handled consistently throughout the business, to support business outcomes. By embarking on this journey, we did not limit ourselves to only security and compliance but dwelled into the entire Information Life Cycle right from “Collection” to “Disclosure or transfer of personal data” across the business. In that regard, a dedicated committee comprising key departments such as Operations, Risk and Compliance was formed to oversee the effective implementation of personal data protection compliance program. Besides that, the Information Solutions Department was separately engaged.

How was top management engaged before, during and post-data protection?

In MCIS Life, we maintain a rather flat but efficient matrix system that allows the top management to drive directions with sufficient guidance for the middle and other ranks to execute policies, governance and complete the feedback loop. The top management has always been very supportive of all levels of PDPA efforts. The board of directors is tasked with setting the tone-at-the-top on the importance of safeguarding personal data and the potential consequences on MCIS Life in the event of a personal data breach. The board of directors also exercises its oversight function in all matters pertaining to the proper handling of personal data, approves the company’s written policies and ensures procedures and controls are in place to provide adequate protection over the confidentiality and security of personal data. These are executed by the control functions such as Risk and Compliance as next steps. Business Units on the other hand are free to provide their feedback on what works and doesn’t work in the course of implementing the policies and procedures for continual improvement.

Any challenges faced during the project and how were they overcome?

The biggest challenge was ensuring all stakeholders were kept abreast of their roles, trained on the basic knowledge and then allowed to operate independently knowing that whenever clarity or guidance was needed in execution, they could reach out either to the dedicated committee or Compliance.

How has the company’s data protection journey with Straits Interactive and the DPEX Network been like?

Straits Interactive (“Straits”) was engaged by MCIS Life as a consultant to help assess MCIS Life’s state of Personal Data Protection Act (PDPA) compliance and personal data protection practices. Straits conducted a project overview briefing session for our top management on 17th May 2018. This was followed by a two-day workshop to 12 key managers and staff on the seven principles of Malaysia’s PDPA and how these applied to the collection, usage/processing, disclosure/transfer and storage/disposal of personal data. During the workshop, participants used Straits’ proprietary Data Protection Management System (now known as DPOinBOX) to perform a self-assessment of regulatory compliance with the PDPA and to document personal data inventories, data flows and privacy risks related to our key business processes that handle and process personal data. The journey with Straits was nurturing to MCIS Life, where the scope of work brought about the impact to all MCIS Life stakeholders, including our Agency Force. We could definitely see the change in behaviour and the level of sensitivity amongst staff when dealing with personal data. As for the DPEX Network, it has become a useful platform for PDPA personnel to keep learning and evolve in the happenings surrounding the data protection needs and expectations.

What advice would you offer to those who are looking to implement a data protection management programme in their organisation?

It is important to analyse your company’s PDPA risks depending on its nature, size and complexity. One may consider investing in a tool like DPOinBOX to strengthen the monitoring processes, especially the detection of incoming and outgoing data. Subsequently, create and put in place a robust data breach notification process to address breaches in a timely manner. Early or prompt detection could potentially avoid reputational damages and penalties. To support the data protection management programme, you need to consider crafting practical and relevant policies and procedures in accordance with the needs of your company instead of lengthy documents that are too difficult to comprehend and comply with. You may consider embedding the relevant requirements to workflows to avoid losing sight of key requirements.

Post-project, what are the ongoing data protection activities that have been implemented to ensure that the company keeps up to speed with the data protection laws?

Post-project, we have turned our focus into learning and awareness. We keep our policies and procedures up to date, simplifying processes where possible to ensure compliance. Training and awareness have been beefed up as part of continuous learning. Subsequently, there was implementation work involved in cascading relevant processes and procedures to staff of all levels within MCIS Life. PDPA has been made mandatory via e-learning together with assessment on an annual basis on top of other classroom training to keep reminding everyone of the importance of having a sense of responsibility towards handling customer data.

Any final words for our readers?

There is never an end to heightened requirements and expectations by regulators especially in this era of digitalisation, post the global pandemic period. Control points in protecting data have to evolve with the times and needs of every organisation. Early investments in necessary tools may save huge losses that could potentially come in the form of financial penalties. Further, data protection will remain a key concern for organisations of all sizes in the current economic climate and beyond. Therefore, starting on the journey as soon as possible saves huge losses and allows the organisation to keep refining these as they grow.