The Personal Data Protection Act 2010 (“PDPA”) is an Act that regulates the processing of personal data in regards to commercial transaction. It was gazetted in June 2010. The penalty for non-compliance will be between RM 100k – 500k and/or imprisonment of between 1 – 3 yrs.
This Act applies to any person who collects and processes personal data in regards to commercial transaction. The seven principles of the Act are general, notice and choice, disclosure, retention, security, access and data integrity principle.
Personal data relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject. For example: name, identity card number, date of birth, mobile number and etc.
In the case where personal data processing is outsourced to a third party, known as the data processor, it is the responsibility for the data user to ensure that the data processor provides sufficient guarantees to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.
This Act affects the personal data life cycle management process from the point personal data is collected, used, stored and destroyed. This Act applies to customers, employees and third party service providers’ personal data. Companies way of doing business will definitely be affected as business processes are required to be refined to comply with the PDPA requirements. Most importantly, a central repository may be required for consent management. The process becomes more complex when cross border personal data transfer is involved.
Are you ready when the Act comes into force? We are currently assisting our clients to be PDPA compliant. The scope of work includes performing a gap analysis and impact assessment against the PDPA requirements as well as developing an implementation roadmap in closing the gaps identified in a most practical and efficient manner. On top of that, PwC provides PDPA awareness training. Please do not hesitate to contact us for more information.
The personal data protection related services we provide include: