Securiti PrivacyOps Named a Leader in The Forrester WaveTMDownload Now
Malaysia holds the distinction of being one of the few countries that took the lead in protecting the privacy and digital rights of its citizens online. Thanks to its Personal Data Protection Act (PDPA), citizens in Malaysia had rights over how companies and websites online collect, use, and share their personal data.
The PDPA goes into great detail on what rights a consumer has with regards to their data being collected, the responsibilities of data handlers in properly educating the data subjects of their rights, and most importantly, how organizations can expect to be penalized if they fall foul of the PDPA regulations.
Passed in June 2010 by the Malaysian parliament, the PDPA came into effect more than three years later in November 2013. Under Article 55 of the PDPA, the enforcement powers of the data regulation rest with the Malaysian Ministry of Justice, which later established the office of the Commissioner of the Department of Personal Data Protection (regulatory authority) dedicated specifically to enforcing the PDPA.
The PDPA is seen as an incredibly balanced piece of legislation that takes concrete steps to guarantee data subjects’ right to privacy and protection of their data while giving all websites and corporations the necessary breathing space to carry out their behavioral analyses with minimal losses to their reach or engagement.
The PDPA follows the same data protection protocols that several other pieces of legislation have followed over the last couple of years such as the GDPR and CPRA as it not only applies to organizations inside Malaysia but also ones that deal with the data of Malaysian citizens from anywhere in the world if it has used equipment inside Malaysia for that very purpose.
Any website or company that handles user data collected on the basis of “commercial transactions” is required to follow these regulations. As such, this would include any site that has anything to do with financing, banking, insurance, investments, the supply or exchange or goods and services for a price.
However, the PDPA is explicitly clear in creating exceptions for the following entities:
The last part has special significance since it gives companies and websites leeway in collecting Malaysians’ data if they aren’t processing that data inside Malaysian borders.
For further clarification, the term “processing” includes collecting, publishing, selling, recording, disclosing, and using data obtained from Malaysian users. Companies that do engage in these activities but not within Malaysia’s borders are exempt from the PDPA regulations.
The PDPA emphasizes the rights of data subjects. Hence, it goes into extensive detail about the responsibility of the websites and data handlers when it comes to dealing with the data subjects’ personal data.
The PDPA provides that a data user (data controller) must not process individuals without their consent. The PDPA, however, provides the following exception to this principle:
An organization can only collect data for which it has gained explicit consent from the data subject. At the same time, it must have options for data subjects to easily withdraw or revoke their consent. Once consent is withdrawn, proper measures must be taken to ensure that the data subject’s data is not collected in any form.
An organization has the responsibility to properly inform all users that visit their website why their data needs to be collected and whether it will be shared with any third parties. The PDPA requires a data controller to inform a data subject by written notice of the following:
The onus is on the data handler to ensure that the data collected is properly protected against any form of cyberattacks and data breaches. For this reason, the data handler needs to have the best organizational tools and practices in place to prevent any such attacks.Where the data processing is carried out by a data processor on behalf of a data controller, the data controller must ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing and takes reasonable steps to ensure compliance with those measures. The regulatory body has also issued several security standards that mandate a data controller to have a formulated security policy.
Currently, the PDPA does not provide any data breach notification requirements. However, as per the Public Consultation Paper 1/2018: The Implementation of Data Breach Notification, data controllers are required to notify the affected data subjects and regulatory authority about the breach and whether any of their information has been compromised as a result.
There is no requirement for conducting data protection impact assessment under the PDPA.
A data controller must keep and maintain a record of any privacy notice, data subject request, or any other information relating to personal data processed by him in the form and manner that may be determined by the regulatory authority.
The PDPA provides that personal data can be transferred out of Malaysia only when the recipient country is specified as adequate in the Official Gazette. The personal data of data subjects can not be disclosed without the consent of the data subject. The PDPA provides the following exceptions to the cross border data transfer requirements:
The data subjects or the person whose data is being collected has certain rights under the PDPA. The most prominent rights can be categorized under the following:
Under 55 of the PDPA, the enforcement powers of the data regulation rest with the Malaysian Ministry of Justice. However, the Ministry has since established the Commissioner of the Department of Personal Data Protection (regulatory authority) to oversee the enforcement of PDPA across organizations collecting data on Malaysian residents.
The penalties for non-compliance with the PDPA regulation are rather straightforward.here are several principles that any organization collecting data will need to adhere to. Under Section 5 of the PDPA, if these principles are violated in any form, it carries a maximum fine of RM300,000 and/or imprisonment not exceeding a term of 2 years.
Furthermore, under Section 16 of the PDPA, certain institutes such as licensed banks, insurers, private health care institutions, licensed tour operators, direct sales businesses, private higher education institutions, and certain utilities and transportation service providers are required to register their activities with PDPA. In case of any violations, offenders can face fines of up to RM500,000 and imprisonment of up to 3 years.
Lastly, as per Section 129 of the PDPA, if an organization is found to have transferred data obtained from inside Malaysia to any external location, they can be fined up to RM300,000 and/or 2-years of imprisonment to follow.
Organizations hoping to become and more importantly remain PDPA complaint in Malaysia have to ensure the following:
Citizens in addition to governments around the world are increasingly becoming vigilant about the need for proper data protection regulation. Not only is there a need to properly oversee the sanctity of consumers’ data, but it is essential to do so without jeopardizing companies’ ability to market to their target audiences.
The best option to achieve an equilibrium between the two is to automate such privacy and protection operations, thereby helping companies comply with global privacy standards across the globe.
Securiti prides itself on developing a PrivacyOps framework that ensures end-to-end compliance automation thanks to several of its tools. As a result, Security is able to help companies comply with the PDPA in addition to any data protection regulation across the world. To see its tools in action, request a demo today.
See how easy it is to manage privacy compliance with robotic automation.