Best of 2022: Taking the first steps to compliance - in one-third the time

Being able to assist clients in operational compliance with data protection regulations, and helping them save money, resources and – crucially – time, has been one of the most memorable aspects of Benjamin Shepherdson’s job.

For nearly eight years, Shepherdson has been Country Manager, Malaysia, for data protection consultancy firm Straits Interactive, which runs the DPEX Network community.

Benjamin Shepherdson

In this time, he has worked with a team of experienced consultants to assist clients across multiple industries in Malaysia, including the retail, education, finance, telecommunications and energy sectors.

Among his various clients, many of whom still reach out to him from time to time for advice, Shepherdson is most gratified to recall one for whom he managed to do a gap assessment in six to eight weeks, after the organisation had struggled in this endeavour for eight months.

“This is the most satisfying part, when clients come back to you and say, ‘You know what, Ben, before we engaged you right, we spent 7 to 8 months trying to put in the gap assessment,’” said Sherpherdson.

“‘And here we are, after 6 to 8 weeks having run through a couple of sessions, we have almost completed compiling [the report] and are ready to present it to the head office.’”

“It's not to say that [the client] could not have done it without us,” he added. “But it was just whether to do it in seven or eight months, or to do it in about two months? They needed to present this assessment and we were able to help them do so in the fastest time possible.”

To assess your organisation’s data protection readiness, and to take proactive measures to protect the personal data in your care, please schedule a strategy call with our consultants at sales@straitsinteractive.com.

‘Friendly’ Malaysians’ data at risk

In light of recent news that cyber crime and data breaches are on the rise in Malaysia, Shepherdson, who is also a trainer and speaker, reflected on his fellow Malaysians’ attitudes towards their own personal data.

“It's typical of Malaysians to just hand over information so easily. If you need my information, I will just say, ‘Hey, you know what? Take my IC.’”

“It's actually very dangerous, because then people who actually have access to your information can actually replicate you. If you really sit and have that malicious thought, then I guess there's so many things you can do [with this information].”

This carefree attitude towards personal data, as well as towards sharing passwords at the workplace, something Shepherdson has observed during regulators’ inspections, is not surprising and due, he believes, to the “friendly culture that we have in Malaysia.”

As the only external consultant to be invited by the Personal Data Protection Department (PDPD) to present at their nation-wide industry roadshows, Shepherdson speaks about the Malaysia Personal Data Protection Act (PDPA) up to 10 times a year.

In some cases, he has to deliver his presentations in Malay, instead of English, and even speak in the regional dialect to be better understood by local stakeholders in various states.

Benjamin Shepherdson (top middle) at the 2018 Fireeye Cyber Defense Live event in Kuala Lumpur, August 15, 2018

Amendments to PDPA expected

As Malaysians become more aware of the PDPA and a need to better safeguard personal data, organisations will find themselves needing to put more policies and processes in place.

According to Shepherdson, Straits Interactive has been invited to be part of a panel of experts, a working group, to provide advice and expertise on operational compliance to the PDPD, such that the regulator would then consider suitable PDPA amendments to pass.

“[Our advice] is not to make the law more strict, but more practical for organisations to adopt it. One area we are looking at is a threshold for the appointment of a data protection officer, or DPO; another is in promoting data protection by design.”

Shepherdson’s advice for organisations in Malaysia, going forward, is to be more aware of how much personal data they collect, and for what purpose.

“The more information you collect, you will definitely need to have more controls in place,” he said.

“A simple analogy I always share with my audience is, if you have RM10, it is likely you would just put it in your pocket. But if you had RM100,000, where would you put it? In the bank, right?”

To learn more about data protection principles and trends from across Asia, please visit the Courses page on DPEX Network.

This article was originally published on 7 September 2022.