Latest on PDPA | Malaysia’s Personal Data Protection Act 2010

Malaysia’s Personal Data Protection Act 2010 is expected to come into force on 16 August 2013…. as it was previously mentioned in one of our article.

The Personal Data Protection Department of Malaysia (“PDPD”) has intimated that the Personal Data Protection Act 2010 (“PDPA”) will come into operation on 16 August 2013. The PDPA seeks to regulate the processing of personal data by data users in commercial transactions, and to safeguard the interests of data subjects.

Data users are given a 3-month sunrise period from 16 August 2013 to comply with the PDPA.

Definition of “personal data”, “data user”, “data subject”

The PDPA provides for the definition of “personal data”, “data user” and “data subject”.

“Personal data” means any information in respect of a commercial transaction, which relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.

The PDPA defines “data user” as a person who, either alone or jointly or in common with other persons, processes any personal data or has control over or authorises the processing of any personal data, but does not include a data processor.

“Data subject” is an individual who is the subject of the personal data / whose personal data is processed by the data user.

Registration of Data Users
All data users will need to register themselves with the PDPD by 15 November 2013. The PDPD has verbally indicated that data users from the following industries must register:
¤ banking and financial institutions 
¤ insurance
¤ telecommunications
¤ utilities
¤ healthcare hospitality and tourism 
¤ education
¤ real estate/property development 
¤ direct selling/marketing
¤ services (e.g. legal, accountancy, business consulting, engineering, architecture employment agencies, transportation)
¤ retail and wholesale

Whilst various industries such as the Information Technology (“IT”) industry have not been specifically identified as industries requiring registration in this first phase, the PDPD confirmed that the PDPA applies to all data users in every industry. Most, if not all, companies will be deemed data users given the broad definition under the PDPA. Registration is therefore still mandatory for data users in industries which are not specified above. The position taken by the PDPD is consistent with the provisions of the PDPA, which requires all data users to register.

The PDPD has indicated that registration for data users will commence on 16 August 2013. Details on the registration process and procedures will be released in due course.

Implementation of PDPA
The PDPA will be implemented in 3 stages:
(i) 1st phase – registration of data users and information dissemination;
(ii) 2nd phase – inspections for compliance to be carried out by the PDPD; and
(iii) 3rd phase – audits and commencement of prosecution for non- compliance.

The first set of subsidiary legislation, which seeks to explain the interpretation and application of the PDPA, will be released on 16 August 2013.

It is expected that the PDPA will be fully implemented by January 2014, with a view to converting the PDPD into a full-fledged Personal Data Protection Commission.

Penalties for Non-Compliance
The consequences for breaching the PDPA are severe. Aside from the negative publicity, penalties for non-compliance with the PDPA include fines for companies and / or fines and imprisonment for directors and officers of the company.

Compliance with the PDPA
Data users must understand the new data protection regime and its impact on business decisions before the PDPA comes into operation. They should begin reviewing their policies, processes, contractual rights and obligations as well as standard forms and notices which relate to processing of personal data in order to ensure they are in compliance with the PDPA. If companies do not have any data protection policies yet, they must put in place sound internal policies that are consistent with the provisions of the PDPA, and carry out measures to comply with the law.

Concluding Words
Malaysia has come a long way to finally pass and implement the PDPA after a wait of more than a decade. The PDPA has commercially far-reaching implications and severe penalties in the event of non-compliance. The intent of the PDPA is not to inhibit business but to grow it by giving consumers confidence that their personal data will be protected. Of course, requesting for underwriting and claims information may now have to be appropriately reviewed; you no longer able to force customers to provide information beyond what’s deemed necessary for the securing of the appropriate insurance cover.

Errant data users should bear in mind that it is no longer “business as usual”.

From a risk management and business continuity perspective, these fixed timelines have now set the clock running on the need for securing specific contractual agreement from data subject and getting the right processes in place, capable of compliance with the Malaysian PDPA.

Related Posts with Thumbnails

6 comments for “Latest on PDPA | Malaysia’s Personal Data Protection Act 2010

  1. Wong
    November 20, 2013 at 10:31

    PDPA effective since 15.11.2013.

  2. September 11, 2013 at 08:54

    Look like another deferment again…. since there was no official on the 16th August. Again another hari inin dalam sejarah!
    (Here’s the news report on Sin Chew Daily:

    PETALING JAYA, August 14 (Sin Chew Daily) — The implementation of the Personal Data Protection Act 2010 (PDPA) meant to protect the privacy of personal data of Malaysians has been deferred repeatedly.

    With the grace period ending on August 16, the actual date of implementation is expected to be further delayed if there are still changes to be made to the PDPA guidelines.

    Personal Data Protection Department public relations officer Norhani told Sin Chew Daily that the Attorney General’s Chambers is currently studying the relevant guidelines under the Act, and the Act will not be put into full implementation so long as there are still changes to be made.

    She said if the AG Chambers’ e-Federal Gazette does not publish the actual implementation date by tomorrow, the Act is likely to be further deferred again.

    • September 11, 2013 at 22:31

      Suppose so but another delay is not going to make the industry more prepare than ever before.

    • October 4, 2013 at 20:04

      Despite reports that the Malaysian Personal Data Protection Act 2010 (“Malaysian PDPA”) would come into operation on 16 August 2013, the implementation of the Malaysian PDPA has been deferred again following new reports that that the Attorney General’s Chambers is still studying the relevant guidelines under the Malaysian PDPA, and that the Malaysian PDPA will not be put into full implementation as long as there are still changes to be made. Whilst frustrating, the delay will at least provide some data processors who are expecting to be subject to the Malaysian PDPA with further breathing space in which to put in place appropriate practices and policies to ensure compliance with the new legislation once it finally comes into operation.


  3. Wong
    September 4, 2013 at 17:48

    PDPA hasn’t come into force yet. Received invitation for consultation 04.09.2013 on registration of data user.

    • September 5, 2013 at 05:46

      Accordingly, the PDPD is giving another 3 months for the registration and preparatory phase. The next phase of requirement is really next year. That’s what I gathered thus far.

Leave a Reply