Overview of Malaysia’s Personal Data Protection Act

Malaysia holds the distinction of being one of the few countries that took the lead in protecting the privacy and digital rights of its citizens online. Thanks to its Personal Data Protection Act (PDPA), citizens in Malaysia had rights over how companies and websites online collect, use, and share their personal data.

The PDPA goes into great detail on what rights a consumer has with regards to their data being collected, the responsibilities of data handlers in properly educating the data subjects of their rights, and most importantly, how organizations can expect to be penalized if they fall foul of the PDPA regulations.

Passed in June 2010 by the Malaysian parliament, the PDPA came into effect more than three years later in November 2013. Under Article 55 of the PDPA, the enforcement powers of the data regulation rest with the Malaysian Ministry of Justice, which later established the office of the Commissioner of the Department of Personal Data Protection (regulatory authority) dedicated specifically to enforcing the PDPA.

The PDPA is seen as an incredibly balanced piece of legislation that takes concrete steps to guarantee data subjects’ right to privacy and protection of their data while giving all websites and corporations the necessary breathing space to carry out their behavioral analyses with minimal losses to their reach or engagement.

Who Needs To Needs To Comply

The PDPA follows the same data protection protocols that several other pieces of legislation have followed over the last couple of years such as the GDPR and CPRA as it not only applies to organizations inside Malaysia but also ones that deal with the data of Malaysian citizens from anywhere in the world if it has used equipment inside Malaysia for that very purpose.

Any website or company that handles user data collected on the basis of “commercial transactions” is required to follow these regulations. As such, this would include any site that has anything to do with financing, banking, insurance, investments, the supply or exchange or goods and services for a price.

However, the PDPA is explicitly clear in creating exceptions for the following entities:

• The Federal & State governments of Malaysia;
• Credit report agencies that fall under the Malaysia Credit Reporting Agencies Act 2010; and
• Data handlers (data controllers) processing personal data outside Malaysia (Unless the processed data requires further processing inside Malaysia).

The last part has special significance since it gives companies and websites leeway in collecting Malaysians’ data if they aren’t processing that data inside Malaysian borders.

For further clarification, the term “processing” includes collecting, publishing, selling, recording, disclosing, and using data obtained from Malaysian users. Companies that do engage in these activities but not within Malaysia’s borders are exempt from the PDPA regulations.

Obligations for Organizations Under the PDPA

The PDPA emphasizes the rights of data subjects. Hence, it goes into extensive detail about the responsibility of the websites and data handlers when it comes to dealing with the data subjects’ personal data.

Lawful Basis Requirements

The PDPA provides that a data user (data controller) must not process individuals without their consent. The PDPA, however, provides the following exception to this principle:

• Performance of a contract to which the data subject is a party;
• Taking steps, at the data subject's request, with a view to entering into a contract;
• Protecting the vital interests, namely matters relating to life, death, or security, of the data subject;
• Compliance with any legal obligation to which the data user is the subject, other than a contractual obligation;
• Administration of justice; or
• Exercise of any functions conferred on any person under any law.

Consent Requirements

An organization can only collect data for which it has gained explicit consent from the data subject. At the same time, it must have options for data subjects to easily withdraw or revoke their consent. Once consent is withdrawn, proper measures must be taken to ensure that the data subject’s data is not collected in any form.

Privacy Notification

An organization has the responsibility to properly inform all users that visit their website why their data needs to be collected and whether it will be shared with any third parties. The PDPA requires a data controller to inform a data subject by written notice of the following:

• That the personal data of the data subject is being processed and a description of the data;
• The purposes for which the personal data is being collected and further processed;
• Any information available to the data user as to the source of that personal data;
• The data subject's right to request access and correction of the personal data;
• The contact particulars of the data user in the event of any inquiries or complaints;
• The class of third parties to whom the data is or may be disclosed;
• The choices and means offered to a data subject to limit the processing of the data; and
• Whether it is obligatory or voluntary for the data subject to supply data, and if obligatory, the consequences of not doing so.

Security Requirements

The onus is on the data handler to ensure that the data collected is properly protected against any form of cyberattacks and data breaches. For this reason, the data handler needs to have the best organizational tools and practices in place to prevent any such attacks.Where the data processing is carried out by a data processor on behalf of a data controller, the data controller must ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing and takes reasonable steps to ensure compliance with those measures. The regulatory body has also issued several security standards that mandate a data controller to have a formulated security policy.

Data Breach Requirements

Currently, the PDPA does not provide any data breach notification requirements. However, as per the Public Consultation Paper 1/2018: The Implementation of Data Breach Notification, data controllers are required to notify the affected data subjects and regulatory authority about the breach and whether any of their information has been compromised as a result.

Data Protection Impact Assessment

There is no requirement for conducting data protection impact assessment under the PDPA.

Record of Processing Activities

A data controller must keep and maintain a record of any privacy notice, data subject request, or any other information relating to personal data processed by him in the form and manner that may be determined by the regulatory authority.

Cross Border Data Transfer Requirements

The PDPA provides that personal data can be transferred out of Malaysia only when the recipient country is specified as adequate in the Official Gazette. The personal data of data subjects can not be disclosed without the consent of the data subject. The PDPA provides the following exceptions to the cross border data transfer requirements:

• Where the consent of data subject is obtained for transfer; or
• Where the transfer is necessary for the performance of contract between the parties;
• The transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
• The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of this PDPA;
• The transfer is necessary in order to protect the vital interests of the data subject; or
• The transfer is necessary as being in the public interest in circumstances as determined by the Minister.

Regulatory Authority

Under 55 of the PDPA, the enforcement powers of the data regulation rest with the Malaysian Ministry of Justice. However, the Ministry has since established the ​​Commissioner of the Department of Personal Data Protection (regulatory authority) to oversee the enforcement of PDPA across organizations collecting data on Malaysian residents.

Penalties for Non-Compliance

The penalties for non-compliance with the PDPA regulation are rather straightforward.here are several principles that any organization collecting data will need to adhere to. Under Section 5 of the PDPA, if these principles are violated in any form, it carries a maximum fine of RM300,000 and/or imprisonment not exceeding a term of 2 years.

Furthermore, under Section 16 of the PDPA, certain institutes such as ​​licensed banks, insurers, private health care institutions, licensed tour operators, direct sales businesses, private higher education institutions, and certain utilities and transportation service providers are required to register their activities with PDPA. In case of any violations, offenders can face fines of up to RM500,000 and imprisonment of up to 3 years.

Lastly, as per Section 129 of the PDPA, if an organization is found to have transferred data obtained from inside Malaysia to any external location, they can be fined up to RM300,000 and/or 2-years of imprisonment to follow.

How Organizations Can Operationalize the Law

Organizations hoping to become and more importantly remain PDPA complaint in Malaysia have to ensure the following:

• Obtain express consent from the users before processing any data from them.
• Communicate to data subjects what data is being collected on them.
• Maintain proper channels of communication allowing the data subjects to request access, alteration, or deletion of data collected on them.
• Have a robust structure of data mapping within the organization.
• Properly educate the employees and the workforce on your data processing methods to reduce the chance of any discrepancies.

How Securiti Can Help

Citizens in addition to governments around the world are increasingly becoming vigilant about the need for proper data protection regulation. Not only is there a need to properly oversee the sanctity of consumers’ data, but it is essential to do so without jeopardizing companies’ ability to market to their target audiences.

The best option to achieve an equilibrium between the two is to automate such privacy and protection operations, thereby helping companies comply with global privacy standards across the globe.

Securiti prides itself on developing a PrivacyOps framework that ensures end-to-end compliance automation thanks to several of its tools. As a result, Security is able to help companies comply with the PDPA in addition to any data protection regulation across the world. To see its tools in action, request a demo today.