Mastering Compliance with Malaysia's PDPA: Understanding the 7 Key Principles

Objective of protecting Personal Data

Why is it important for organisations (data user) to have a programme to protect personal data it holds?

The objective of the Personal Data Protection Act 2010 (Act 709) or APDP Act is set out in the Tenth Communications and Multimedia Act 1998 to ensure information security and network reliability and integrity. It is a form of cyber legislation under the implementation of the Multimedia Super Corridor (MSC) to regulate the processing of personal data by the user in a commercial transaction data and to protect personal data of common interest.

Principles and obligations of the Personal Data Protection Act (PDPA) of Malaysia

What are the MY PDPA obligations and laws?

The underlying theme of these obligations is accountability. To demonstrate accountability, the data user has to adopt an operational compliance approach as any breach will come from lapses in the processes. Thus, a sustained programme and internal compliance framework would be the organisation’s first-line of defence before any breach can happen.

The Malaysia Personal Data Protection Act 2010 is modelled upon the European Union Data Protection Directive 95/46/EC, which was replaced by the EU GDPR, and contains principles based on OECD guidelines. The following shows the alignment of the various principles:

Can’t seem to remember all these principles? We created an easy way for you to know these principles by heart through our infographic below!

To view the full infographic, use this link: https://www.dpexnetwork.org/research/infographics-7-principles-malaysian-pdpa

Where to start: Organisation’s Accountability

How does the organisation begin its DPMP journey?

Under the Malaysia Personal Data Protection Act, all organisation are required to comply with the law. However, the legal requirement indicates that there are 13 sectors listed by the commissioner office would require the organisations (within those sectors) to register their organisation with the regulators. This is the first part of the organisation’s effort to start/put their DPMP in place.

Currently, the Personal Data Protection Act requires the following classes of data users to register under the PDPA:

Having said that, all organisations are required to comply with the Malaysia Personal Data Protection Act. In those case where the organisation is not required to register with the regulators, a simple task of appointing someone within the organisation to look into PDPA matters within the organisation.

Does MY PDPA require accountability to be demonstrated in all elements of the organisation from Policy, People and Process?

The organisation would require a programme DPMP to manage these elements for data protection. The MY PDPA does not spell out the accountability requirement to a certain extent, however, the compliance efforts/focus can be broken down to the 3 areas where it involves Policy, People and System.

The Data Protection Management Programme(DPMP)

What does the organisation need to do?

The organisation would therefore start by having a systematic framework to help establish a robust data protection infrastructure. It covers management policies and processes for the handling of personal data as well as defines the roles and responsibilities of the people in the organisation in relation to personal data protection. Having an established DPMP helps an organisation to demonstrate accountability in data protection. Spearheaded by the DPO, with the mandate of the management and cooperation from all staff the DPMP helps provide confidence to stakeholders and fosters trust relationships with customers and business partners.

Policy

It is important that the policies are addressing the gaps relating to PDPA. More often we see policies are being developed from the top-bottom approach.

Each organisation and its risk are different from one another. When we look at the Malaysia perspective, policies are to cover the 7 principles. Most importantly it (the policy) has to be applied at the ground level. Therefore, a risk assessment that covers relevant area such as regulatory compliance, data inventory and data mapping (business processes). Only then an effective policy can be developed to address the relevant PDPA risk in the organisation. In Malaysia, there are sub legislation such as the PDPA Standard 2015 that touches on best practice of retention and security which organisation can refer to and deploy them within the organisation.

People

People within the organisation continues to be the biggest contributor when it comes to a data leak/data incident.

Adequate training on what can be done and cannot be done is necessary. In order to sustain the awareness and education amongst the employee, frequent/periodic training is required. Training can be conducted in many ways such as e-learning, as part of team-building activity, or as a form of skill and knowledge refresh. This is part of the effort to sustain the awareness and skill of data protection in the human resource within the organisation.

Processes

Audit is an important part of ensuring the processes are adhered to in an organisation. 

Innovations recently have changed the way businesses operates. Many organisations have somewhat transformed or moved part of their business into digital. While this is a good initiative to ride the waves of change, what organisation at time overlook is the appropriate controls that are much needed to ensure that the organisation does not go against the law. What this means is an organisation needs to map out the business process from creation to destruction, where personal data is involved. Then only gaps can be properly identified, and proper controls be put in place. Also not forgetting the traditional way of business where physical documents have been the status quo of the way things are run in the organisation. A gap in a business process could potentially lead to a customer complaint due to misuse of their data or a system/database being compromised where information of the customer is leaked/illegally accessed by a hacker/someone outside the organisation.

Data Protection as part of Governance Risk and Compliance Management

As much as the gap assessment has been done and controls are put in place, the importance of audit is to ensure that the implementation is effective and if need be additional/refined controls be put in place.

The DPO and the role in CUDS and APSR

 Based on my casual poll when I speak at PDPD seminars, the DPO role in Malaysia typically resides under the legal department, followed by IT and Operations. Unlike in Singapore, the data protection responsibility is more commonly found with the Business Continuity Management team or the Compliance department (https://www.dpexnetwork.org/articles/issues-and-challenges-faced-data-protection-officers-singapore-part-i/). Whatever the organisation structure, the DPO should not be a “lone-ranger” in implementing a DPMP in an organisation.

This is because personal data is Collected, Used, Disclosed (or Disposed) and Stored in various departments and personnel from these teams need to be aware of, and actively help to put in place the DPMP. This includes transactions with vendors and third-party service providers. Efforts and support from the respective departments are needed to ensure the success of the implementation. All department heads should be held accountable for the implementation and be responsible in ensuring the gaps are being addressed with the appropriate controls.

(ASSESS) The committee (which comprises of the HOD) is to ensure that the gaps assessment is done thoroughly, more importantly, the data mapping (documentation of business process where personal data is involved)

(PROTECT) When the necessary gap assessment is done then the relevant/appropriate controls can be designed/plan and be put in place. Types of Controls are identified as administrative, technical, and physical. All these will address the gaps which have been discovered in the gap assessment.

(SUSTAIN) This is where most organisation have probably missed out/put less focus because the thought of having done the gap assessment is already sufficient and therefore no necessary of putting much effort into sustaining. The biggest mistake is ignoring this phase, where gaps discovered at the assessment stage and controls put in place are not tested or checked for consistency and compliance.

(RESPOND) This area of the compliance program is rarely given any importance. A plan should be in place, whether it is responding to a customer requesting for correction or stakeholders in a data breach.

Amendment to Malaysia PDPA

What is the status?

Yes, there is a list of items that is being proposed for the amendments. Here are some of it. 

1. Data user to appoint a Data Protection Officer 
2. Data user to report data breach incident to the Commissioner
3. Data user to implement privacy by design 
4. Address privacy issue arising from data collection endpoints
5. The application of Act 709 to non-commercial activity 

Training and Upskilling

What can the organisation do to begin the journey of compliance with the Malaysia PDPA?

In enabling organisations and DPOs to obtain and/or upgrade the relevant data protection skills, consultancy services and training courses are available. The DPEX Network not only provide the basic skill required but a roadmap that enable the DPO to advance his/her knowledge beyond data protection and integrate with GRC and knowledge about international data protection/GRC framework. 

For more information, you may contact courses@straitsinteractive.com

Article By:  Benjamin Shepherdson GDPR & Info Sec (EXIN), CIPM, GRCP)

Leong Wai Chong CIPM, GRCP

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.