Malaysia’s Personal Data Protection Act 2010 is expected to come into force on 16 August 2013…. as it was previously mentioned in one of our article.
The Personal Data Protection Department of Malaysia (“PDPD”) has intimated that the Personal Data Protection Act 2010 (“PDPA”) will come into operation on 16 August 2013. The PDPA seeks to regulate the processing of personal data by data users in commercial transactions, and to safeguard the interests of data subjects.
Data users are given a 3-month sunrise period from 16 August 2013 to comply with the PDPA.
Definition of “personal data”, “data user”, “data subject”
The PDPA provides for the definition of “personal data”, “data user” and “data subject”.
“Personal data” means any information in respect of a commercial transaction, which relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.
The PDPA defines “data user” as a person who, either alone or jointly or in common with other persons, processes any personal data or has control over or authorises the processing of any personal data, but does not include a data processor.
“Data subject” is an individual who is the subject of the personal data / whose personal data is processed by the data user.
Registration of Data Users
All data users will need to register themselves with the PDPD by 15 November 2013. The PDPD has verbally indicated that data users from the following industries must register:
¤ banking and financial institutions
¤ healthcare hospitality and tourism
¤ real estate/property development
¤ direct selling/marketing
¤ services (e.g. legal, accountancy, business consulting, engineering, architecture employment agencies, transportation)
¤ retail and wholesale
Whilst various industries such as the Information Technology (“IT”) industry have not been specifically identified as industries requiring registration in this first phase, the PDPD confirmed that the PDPA applies to all data users in every industry. Most, if not all, companies will be deemed data users given the broad definition under the PDPA. Registration is therefore still mandatory for data users in industries which are not specified above. The position taken by the PDPD is consistent with the provisions of the PDPA, which requires all data users to register.
The PDPD has indicated that registration for data users will commence on 16 August 2013. Details on the registration process and procedures will be released in due course.
Implementation of PDPA
The PDPA will be implemented in 3 stages:
(i) 1st phase – registration of data users and information dissemination;
(ii) 2nd phase – inspections for compliance to be carried out by the PDPD; and
(iii) 3rd phase – audits and commencement of prosecution for non- compliance.
The first set of subsidiary legislation, which seeks to explain the interpretation and application of the PDPA, will be released on 16 August 2013.
It is expected that the PDPA will be fully implemented by January 2014, with a view to converting the PDPD into a full-fledged Personal Data Protection Commission.
Penalties for Non-Compliance
The consequences for breaching the PDPA are severe. Aside from the negative publicity, penalties for non-compliance with the PDPA include fines for companies and / or fines and imprisonment for directors and officers of the company.
Compliance with the PDPA
Data users must understand the new data protection regime and its impact on business decisions before the PDPA comes into operation. They should begin reviewing their policies, processes, contractual rights and obligations as well as standard forms and notices which relate to processing of personal data in order to ensure they are in compliance with the PDPA. If companies do not have any data protection policies yet, they must put in place sound internal policies that are consistent with the provisions of the PDPA, and carry out measures to comply with the law.
Malaysia has come a long way to finally pass and implement the PDPA after a wait of more than a decade. The PDPA has commercially far-reaching implications and severe penalties in the event of non-compliance. The intent of the PDPA is not to inhibit business but to grow it by giving consumers confidence that their personal data will be protected. Of course, requesting for underwriting and claims information may now have to be appropriately reviewed; you no longer able to force customers to provide information beyond what’s deemed necessary for the securing of the appropriate insurance cover.
Errant data users should bear in mind that it is no longer “business as usual”.
From a risk management and business continuity perspective, these fixed timelines have now set the clock running on the need for securing specific contractual agreement from data subject and getting the right processes in place, capable of compliance with the Malaysian PDPA.