IDC Names Securiti a Worldwide Leader in Data Privacy
ViewMalaysia holds the distinction of being one of the few countries that took the lead in protecting the privacy and digital rights of its citizens online. Thanks to its Personal Data Protection Act (PDPA), citizens in Malaysia had rights over how companies and websites online collect, use, and share their personal data.
The PDPA goes into great detail on what rights a consumer has with regards to their data being collected, the responsibilities of data handlers in properly educating the data subjects of their rights, and most importantly, how organizations can expect to be penalized if they fall foul of the PDPA regulations.
Passed in June 2010 by the Malaysian parliament, the PDPA came into effect more than three years later in November 2013. Under Article 55 of the PDPA, the enforcement powers of the data regulation rest with the Malaysian Ministry of Justice, which later established the office of the Commissioner of the Department of Personal Data Protection (regulatory authority) dedicated specifically to enforcing the PDPA.
The PDPA is seen as an incredibly balanced piece of legislation that takes concrete steps to guarantee data subjects’ right to privacy and protection of their data while giving all websites and corporations the necessary breathing space to carry out their behavioral analyses with minimal losses to their reach or engagement.
The PDPA follows the same data protection protocols that several other pieces of legislation have followed over the last couple of years such as the GDPR and CPRA as it not only applies to organizations inside Malaysia but also ones that deal with the data of Malaysian citizens from anywhere in the world if it has used equipment inside Malaysia for that very purpose.
Any website or company that handles user data collected on the basis of “commercial transactions” is required to follow these regulations. As such, this would include any site that has anything to do with financing, banking, insurance, investments, the supply or exchange or goods and services for a price.
However, the PDPA is explicitly clear in creating exceptions for the following entities:
The last part has special significance since it gives companies and websites leeway in collecting Malaysians’ data if they aren’t processing that data inside Malaysian borders.
For further clarification, the term “processing” includes collecting, publishing, selling, recording, disclosing, and using data obtained from Malaysian users. Companies that do engage in these activities but not within Malaysia’s borders are exempt from the PDPA regulations.
The PDPA emphasizes the rights of data subjects. Hence, it goes into extensive detail about the responsibility of the websites and data handlers when it comes to dealing with the data subjects’ personal data.
The PDPA provides that a data user (data controller) must not process individuals without their consent. The PDPA, however, provides the following exception to this principle:
An organization can only collect data for which it has gained explicit consent from the data subject. At the same time, it must have options for data subjects to easily withdraw or revoke their consent. Once consent is withdrawn, proper measures must be taken to ensure that the data subject’s data is not collected in any form.
An organization has the responsibility to properly inform all users that visit their website why their data needs to be collected and whether it will be shared with any third parties. The PDPA requires a data controller to inform a data subject by written notice of the following:
The onus is on the data handler to ensure that the data collected is properly protected against any form of cyberattacks and data breaches. For this reason, the data handler needs to have the best organizational tools and practices in place to prevent any such attacks.Where the data processing is carried out by a data processor on behalf of a data controller, the data controller must ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing and takes reasonable steps to ensure compliance with those measures. The regulatory body has also issued several security standards that mandate a data controller to have a formulated security policy.
Currently, the PDPA does not provide any data breach notification requirements. However, as per the Public Consultation Paper 1/2018: The Implementation of Data Breach Notification, data controllers are required to notify the affected data subjects and regulatory authority about the breach and whether any of their information has been compromised as a result.
There is no requirement for conducting data protection impact assessment under the PDPA.
A data controller must keep and maintain a record of any privacy notice, data subject request, or any other information relating to personal data processed by him in the form and manner that may be determined by the regulatory authority.
The PDPA provides that personal data can be transferred out of Malaysia only when the recipient country is specified as adequate in the Official Gazette. The personal data of data subjects can not be disclosed without the consent of the data subject. The PDPA provides the following exceptions to the cross border data transfer requirements:
The data subjects or the person whose data is being collected has certain rights under the PDPA. The most prominent rights can be categorized under the following:
The PDPA, like some of the other landmark data protection laws such as CPRA and GDPR gives data subjects the right to revoke their consent at any time by way of written notice from having their data collected processed.
As per this right, anyone whose data has been collected has the right to request to review their personal data and have it updated. The onus is on the data handlers to respond to such a request as soon as possible while also making it easier for data subjects on how they can request access to their personal data.
Data subjects have the right to request that their data be stored in a manner where it is easily interpretable by all parties rather than having it stored in a silo. This ensures that the data ends up in a dataset that can be easily shared, read, interpreted, and used by different parties that have the proper permissions to use the data subject’s data.
The PDPA allows the data subjects to restrict the use of their data entirely or to restrict its use in certain conditions. In such a case, the data subject allows the data handler to keep possession of their data and use it as they see fit except in a few cases such as restricted use of their data in marketing campaigns for certain products/services. Data subjects can also request their data not be processed or used for anything that can cause distress or damage to them.
Under 55 of the PDPA, the enforcement powers of the data regulation rest with the Malaysian Ministry of Justice. However, the Ministry has since established the Commissioner of the Department of Personal Data Protection (regulatory authority) to oversee the enforcement of PDPA across organizations collecting data on Malaysian residents.
The penalties for non-compliance with the PDPA regulation are rather straightforward.here are several principles that any organization collecting data will need to adhere to. Under Section 5 of the PDPA, if these principles are violated in any form, it carries a maximum fine of RM300,000 and/or imprisonment not exceeding a term of 2 years.
Furthermore, under Section 16 of the PDPA, certain institutes such as licensed banks, insurers, private health care institutions, licensed tour operators, direct sales businesses, private higher education institutions, and certain utilities and transportation service providers are required to register their activities with PDPA. In case of any violations, offenders can face fines of up to RM500,000 and imprisonment of up to 3 years.
Lastly, as per Section 129 of the PDPA, if an organization is found to have transferred data obtained from inside Malaysia to any external location, they can be fined up to RM300,000 and/or 2-years of imprisonment to follow.
Organizations hoping to become and more importantly remain PDPA complaint in Malaysia have to ensure the following:
Citizens in addition to governments around the world are increasingly becoming vigilant about the need for proper data protection regulation. Not only is there a need to properly oversee the sanctity of consumers’ data, but it is essential to do so without jeopardizing companies’ ability to market to their target audiences.
The best option to achieve an equilibrium between the two is to automate such privacy and protection operations, thereby helping companies comply with global privacy standards across the globe.
Securiti prides itself on developing a PrivacyOps framework that ensures end-to-end compliance automation thanks to several of its tools. As a result, Security is able to help companies comply with the PDPA in addition to any data protection regulation across the world. To see its tools in action, request a demo today.
The PDPA Act in Malaysia refers to the Personal Data Protection Act 2010, which came into effect more than three years later in November 2013. It is a comprehensive law that regulates the processing of personal data by individuals and organizations in Malaysia.
While the Malaysia PDPA and GDPR share principles of protecting personal data, they differ in scope, requirements, and applicability. GDPR applies to the European Union, while PDPA applies to Malaysia.
No, Malaysia is not subject to GDPR. GDPR is a regulation of the European Union and applies to EU member states and their residents.
The enforcement powers of the PDPA rest with the Malaysian Ministry of Justice. However, the Ministry has since established the Commissioner of the Department of Personal Data Protection (regulatory authority) to oversee the enforcement of PDPA across organizations collecting data on Malaysian residents.
The PDPA was implemented in Malaysia on November 15, 2013.
Non-compliance with the PDPA in Malaysia can result in fines and/or imprisonment. The penalty may vary depending on the specific offense.
Get all the latest information, law updates and more delivered to your inbox
September 15, 2023
The wealth of data available to organizations globally has brought tremendous improvements in their ability to target and cater to their customers' needs. Organizations...
September 13, 2023
Kuwait didn’t have any data protection law until the Communication and Information Technology Regulatory Authority (CITRA) introduced the Data Privacy Protection Regulation (DPPR). The...
September 12, 2023
Following the end of the Brexit Implementation Period on 31 December 2020, the United Kingdom is no longer subject to the European Union General...
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128