This article was written by some legal practitioners and uploaded onto the Lexology site, which I thought its explanation of things being compactly expressed and with ease of understanding.
The Act requires those using personal data collected after that date to comply with the Act. For personal data which has been collected prior to that date, a 3-month leeway is given for compliance.
Are you a data user?
You are a data user if you process personal data (ie. you collect, record, hold or store or otherwise carry out any operation on personal data), or control or authorise such processing, in Malaysia.
Note: You are considered to be processing personal data in Malaysia should you use equipment in Malaysia to process personal data, even if you are not established in Malaysia.
Is the personal data you are now collecting in compliance with the Act? Your answers to the questions below will give you an indication.
(1) Have you notified the data subject (the person whose data you are collecting) of the purpose for which you are collecting his personal data?
(2) Have you informed the data subject that he or she has a right to access the personal data you are collecting and to make corrections to it?
(3) Have you made sure that the personal data you are collecting is only used for the purposes you have informed the data subject of?
(4) Has the data subject given his or her consent for you to use the personal data you are collecting in the manner you intend to?
(5) How safe is the personal data you are collecting? Have you taken practical steps to protect it from loss, misuse or modification?
(6) Have you taken practical steps to prevent the personal data you are collecting from being accessed or disclosed or altered or destroyed in an accidental or unauthorised manner?
(7) Do you have in place reasonable steps to ensure that the personal data you are collecting is sufficiently complete and accurate and that it can be kept updated and not mislead?
(8) Can the data subject access the personal data you are collecting so that he or she can correct it when it is inaccurate or incomplete or misleading or not kept up to date.
(9) Do you have a policy in place as to how long you will keep the personal data you are collecting?
(10) If you intend to transfer the personal data abroad, have you obtained consent from the data subject to do so?
These are but some of your obligations with respect to personal data you are collecting. If the answer ‘No’ to any of the questions posed means that you are potentially in breach of the Act and may be liable for a fine up to RM500,000 or to be imprisoned for up to 3 years, or both.