Professional Documents
Culture Documents
www.pkfmalaysia.com
Agenda
Time
0900 0915
Topic
Welcome speech by Director of PKF Avant Edge
Overview of Personal Data
0915 1000
Defining Terms
PDPA Objectives
Offences & Liabilities of PDPA
Exemptions of PDPA
Latest news on PDPA
Overview of the 7 principles
General Principle
Notice & Choice Principle
Disclosure Principle
Security Principle
Retention Principle
Data Integrity Principle
Access Principle
Break/Discussion
1000 1115
1115 1130
1130 - 1230
1230 1300
www.pkfmalaysia.com
www.pkfmalaysia.com
www.pkfmalaysia.com
2020
2017
2015
2013
www.pkfmalaysia.com
www.pkfmalaysia.com
www.pkfmalaysia.com
www.pkfmalaysia.com
www.pkfmalaysia.com
PDPA Malaysia
www.pkfmalaysia.com
Exemptions
Appointment and Functions of Commissioner
Personal Data Protection Fund
Personal Data protection advisory committee
Appeal tribunal
Inspection, Complaint and Investigation
Enforcement
Misc
www.pkfmalaysia.com
Registration
The Minister may specify a class of data users who shall be required to
be registered as data users under the Act.
[Public Consultation Paper No. 2/2012
Communications, Banking and Financial Institutions, Insurance and
Takaful, Health, Tourism and Hospitalities, Transportation, Education,
Direct Selling and Direct Marketing, Services, Real Estate, Utilities]
www.pkfmalaysia.com
www.pkfmalaysia.com
www.pkfmalaysia.com
Exemptions
www.pkfmalaysia.com
Appeal Tribunal
To review matters on appeal with powers of a subordinate court
registration of a data user;
refusal of the Commissioner to register a code of practice;
failure of the data user to comply with a data access request or data
correction request;
issuance of an enforcement notice;
refusal of the Commissioner to vary or revoke an enforcement notice; and
refusal of the Commissioner to carry out or continue an investigation.
Decision of Appeal Tribunal is final and binding, and may by leave of the
Sessions Court be enforced as a judgment or order.
www.pkfmalaysia.com
Enforcement
Power of investigation
Search and seizure with warrant
Search and seizure without warrant
Access to computerized data
Obstruction to search offence
Power to require production of computer, book, account, etc
Power to require attendance of persons acquainted with case
Examination of persons acquainted with case
Forfeiture of computer, book, account, etc seized
Power of arrest
www.pkfmalaysia.com
Miscellaneous
Transfer of data to places outside Malaysia
A data user shall transfer any personal data of a data subject to a place outside
Malaysia, except if
the data subject has given his consent;
the transfer is necessary for the performance of a contract;
the transfer is for the purpose of any legal proceedings, legal advice or
legal rights;
the transfer is for the avoidance of adverse action against the data subject;
the personal data will not be processed in contravention of the Act;
the transfer is necessary to protect the vital interests of the data subject;
the transfer is necessary as being in the public interest.
www.pkfmalaysia.com
www.pkfmalaysia.com
Personal Data
www.pkfmalaysia.com
Name
Passport Number
Identity Card Number
Driver License
Phone Number
Photograph
Finger Print
Email
IP Address
Apple ID?
www.pkfmalaysia.com
Political opinion
Religious, Ideologist or similar
beliefs
Commission or alleged
commission offences
Types of information determined
by the Ministry
www.pkfmalaysia.com
Commercial Transaction
www.pkfmalaysia.com
Processing
Collecting
Holding
Storing
Recording
Etc
PKF Avant Edge Sdn. Bhd.
www.pkfmalaysia.com
RM300K / 2
Years Prison
Failure to Register
RM500K / 3
Years Prison
Non compliance to
commissioners
requirements
RM200K / 2
Years Prison
Unauthorized
Processing
RM500K / 3
Years Prison
Unlawful Collection
/ Disclosure
RM500K / 3
Years Prison
Non compliance to
enforcement notice
RM200K / 2
Years Prison
Unauthorized
Oversea Transfer
RM200K / 2
Years Prison
RM300K / 2
Years Prison
www.pkfmalaysia.com
Coverage of PDPA
Malaysia Businesses
Non-Malaysian Businesses
www.pkfmalaysia.com
www.pkfmalaysia.com
The 7 Principles
Security
Disclosure
Retention
Notice &
Choice
General
Data
Integrity
PDPA
Access
www.pkfmalaysia.com
Controls
Exceptions
Control
Data user to notify owners in written format
The written notification shall comprise of :
Personal data being processed
Purpose of process
Owners rights & obligation
National language and English
www.pkfmalaysia.com
Control
Personal data without owners consent, shall not be disclosed
unless:
Notified during collection or related purposes
Approved parties by the owner
www.pkfmalaysia.com
Control
Users are required to implement practical steps to protect:
Data from being lost
Data from being misuse
Data from being modified
Data from unintended use
Data from being destroyed
Users are required, when processing of data is on behalf of user:
Ensure processor provide sufficient guarantees on technical and
organization security
Take reasonable steps to ensure compliance of the guarantees
www.pkfmalaysia.com
Exemption
For personal data personal, family or household affairs
Partially exempted, subjected on case by case basis:
Prevention or detection of crime
Apprehension or prosecution of offenders
Assessment of collection of Tax or Duty
Statistics or research
Court order
Regulatory
www.pkfmalaysia.com
Control
www.pkfmalaysia.com
Control
User shall take reasonable steps to ensure personal data:
Accurate
Complete
Non-Misleading
Constantly Updated with other related information
www.pkfmalaysia.com
Control
Users shall give owners access to their own personal data
Owners are able to correct their personal data when it is:
Inaccurate
Incomplete
Misleading
Not updated
Users are able to refuse the above if the reason is stated within the
act
Owners can stop/prevent user to process their personal data if:
Cause or may cause substantial damage
Cause or may cause substantial distress
Direct marketing
PKF Avant Edge Sdn. Bhd.
www.pkfmalaysia.com
The High Court at Penang allowed claim for invasion of privacy in the
case of Lee Ewe Poh v Dr. Lim Teik Mau & 20 Anor [2010] 1LNS
1162 where it was held that a surgeon must obtain the consent of
their female patients before taking photographs of their intimate parts
during surgical procedures. Although that case can be categorized as a
breach of trust and confidentiality because of the doctor- patient
relationship, the High Court expressly allowed the Plaintiffs claim
which inter alia pleaded an invasion of her rights to privacy.
www.pkfmalaysia.com
Other Examples
The Sony Playstation Network Hacked Case in 2011
Sony was fined 250,000.00 for failing to adequately update its software
or keep its password secure
Sony notify all affect customer and provide a Hotline for enquiries
Upgrade of security protection
$171 Million was spent
The Hang Seng Bank Saving Account Applicants Data Collection
Excessive data collection of education and marital information
19 Branches and 9 out of 19 were found to be non-compliant
All 9 branch had to revamp their forms
Hospital lost of patients data due to portable storage devices
Policy and procedures were mandated
Endpoint Security Software installed to all affected hospital
www.pkfmalaysia.com
Hypothetical Walkthrough
E-Commerce Site
Register customer Collect personal identifiable data
Inform purpose on the form, rights of owner to access and correct data
Ensure collection, storage, processing complies to ALL principles
Must be explicit consent, no blanket consent
Ensure data is relevant to be processed
Ensure consent evidence is given, if oral, then pre-recorded (authorised) of
consent
Other methods of consent online clicking checkboxes, signoff etc
Challenge: Online (non face to face) is difficult to verify, as even clicking
checkboxes can be repudiated.
www.pkfmalaysia.com
Scenario
Hiring
Marketing
Survey
Security &
Retention
www.pkfmalaysia.com
PDPA Complied
Readiness
Monitor &
Review
Controls
Development
Audit
Gap
Assessment
Controls
Implementation
Risk
Assessment
Time Effort
www.pkfmalaysia.com
Overview of Activities
Start compliance now.
Review
documents to
determine
compliance.
Designate
special officer
to deal with
personal data
matters.
Implement security
procedures to protect
against abuse of
personal data.
Avoid collecting
sensitive information.
Appoint privacy officer
to deal with privacy
matters.
Implement
procedures to handle
customer complaints.
www.pkfmalaysia.com
www.pkfmalaysia.com
Phase I
Gap Analysis
Development of project
team
Comparison of company
capabilities requirements
Development of an
implementation roadmap,
budget, timeline
Phase 2
Remediation
Development of framework,
policies, processes, standards
and procedures
Development of information
security to comply to principles
Continuous awareness,
training and project
management
Benefits analysis
Phase 3
Compliance
Assessment
Gap Assessment
Review Scope: Who is in scope, what is in scope, where is it stored?
Review Process of collection, usage, processing, storage, retention, destruction
Review PDPA documents T&C, privacy statements
Review Third party relationships and agreements
Review R&R
Review organisational processes against the seven principles
Review Security Posture Assessment (SPA), IT audit, Penetration testing etc
Develop remediation plans
2.
Implementation
Provide Project Management layer for the entire implementation for PDPA compliance
Provide offsite and onsite support to help develop policies and documentation
Provide updated information through our relationships with relevant agencies and associations
on the development of PDPA
Provide technology consulting on data leakage protection, authentication
WHY AVANTEDGE
1.
Expertise in Compliance
While PDPA is still not enforced, we are already well versed in compliance
exercises, having implemented international standards such as PCI-DSS and
ISO27001 for our clients. Where legal advisory is needed, we have onboard in our
team legal practitioners who will guide and oversee the formation of policies to
address the PDPA concerns.
2.
Powerful Network
Not only do we have the backing of 21,000 people in over 125 countries, we have
also established close relationships with countries that have gone through similar
personal data protection exercises, to leverage on their experiences and
knowledge base.
3.
Compliance
Gap Assessment
Implementation
Certification Management
1) ISO 27001
2) ISO 20000
3) PCI DSS
4) ISO 9001
5) ISO 14001
6) BSA Review
7) PDPA Gap and Implementation
8) Custom Compliance Package
Training
1) ISO27001 & PCI DSS
2) Audit and Implementation
Project Management
1) PMO Team
2) Project Director
3) Project Manager
4) Business Process Consultant
avantedge@pkfmalaysia.com
Web:
http://www.pkfmalaysia.com
TechBlog:
http://www.pkfavantedge.com
Twitter:
http://twitter.com/pkfavantedge
Address:
Facsimile:
The End
www.pkfmalaysia.com