PKF Avant Edge

PKF Avant Edge

Personal Data Protection Act 2010

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Agenda

Time
0900 0915

Topic
Welcome speech by Director of PKF Avant Edge
Overview of Personal Data

0915 1000

Defining Terms
PDPA Objectives
Offences & Liabilities of PDPA
Exemptions of PDPA
Latest news on PDPA
Overview of the 7 principles
General Principle
Notice & Choice Principle
Disclosure Principle
Security Principle
Retention Principle
Data Integrity Principle
Access Principle
Break/Discussion

1000 1115

1115 1130
1130 - 1230
1230 1300

PKF Avant Edge Sdn. Bhd.

Common practices of PDPA and Scenarios

Case Studies
Compliance Roadmap and Whats Next
Q&A

www.pkfmalaysia.com

Did you know? You should know!

Your IC number can be identified within hours through a

combination of your name and email ?
1,000 handphone and email listing sold for RM100.00?
Complete data with full names, addresses, and two phone
numbers of people with the title of Tan Sri and Datuk sold for
RM3 each?
Source from: Beware, your datas on sale
http://thestar.com.my/news/story.asp?file=/2009/5/3/focus/3818877&sec=focus

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Did you know? You should know!

Taken from Federal Trade Commission U.S.

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

The Ubiquity of Technology

2020
2017
2015

2013

Current State of PDPA

Gazetted on June 2010

Commission by the Ministry of Information, Communication & Culture
Ministry has established a Personal Data Department (JPDP) to
administer the Act
To REGULATE collection, storing and processing of personal data
Not to OBSTRUCT, but to set rules within 7 principles
The Act was targeted to be enforce on January 2013
THREE months to comply, start on enforcement date
Ministry has announce that the enforcement of PDPA will be delayed
Preparation target to complete by end of March

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Steps Taken to Protect Consumer Information

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Steps Taken to Protect Consumer Information

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Big Boys Have taken their steps

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Associations Are Taking Steps

Association of Banks in Malaysia Requesting additional

timeframe of 18 months for compliance (transitional relief)
Specific Data User Forum for banking industry code of
practice
PPWG Discussion of standards for applications

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

PDPA Malaysia

First Among ASEAN Countries

13 new criminal offences
Personal Data Protection Act is aim to protect personal data
from commercially:
Processed without owners knowledge
Ensure accuracy
Regulates processing of personal data transactions
Underpinned by 7 Principles
Definition within PDPA
Data User
Data Subject
Data Processor
Personal Data
Sensitive Personal Data
Commercial Transaction
Processing
PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

A Quick Look at PDPA

Division 1: Principles of PDPA

Division 2: Registration
Division 3: Data user forum and code of practice
Division 4: Rights of data subject

Exemptions
Appointment and Functions of Commissioner
Personal Data Protection Fund
Personal Data protection advisory committee
Appeal tribunal
Inspection, Complaint and Investigation
Enforcement
Misc

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Registration

The Minister may specify a class of data users who shall be required to
be registered as data users under the Act.
[Public Consultation Paper No. 2/2012
Communications, Banking and Financial Institutions, Insurance and
Takaful, Health, Tourism and Hospitalities, Transportation, Education,
Direct Selling and Direct Marketing, Services, Real Estate, Utilities]

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Data User Forum and Code of Practice

The PDPA also provides a data user forum.

This forum is to draft industry codes of practice in the procedures and
processes of processing data related to their industry.

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Rights of Data Subject

Right of access to personal data

Right to correct personal data

Right to withdrawal of consent to process personal data
Right to prevent processing likely to cause damage or distress
Right to prevent processing for purposes of direct marketing

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Exemptions

Personal, family or household affairs, including recreational

Crime, investigations
Offenders
Tax, duty
Physical, mental health
Statistics, research
Order, judgment of court
Regulatory functions
Journalistic, literary, artistic purposes

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Appeal Tribunal
To review matters on appeal with powers of a subordinate court
registration of a data user;
refusal of the Commissioner to register a code of practice;
failure of the data user to comply with a data access request or data
correction request;
issuance of an enforcement notice;
refusal of the Commissioner to vary or revoke an enforcement notice; and
refusal of the Commissioner to carry out or continue an investigation.
Decision of Appeal Tribunal is final and binding, and may by leave of the
Sessions Court be enforced as a judgment or order.

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Enforcement
Power of investigation
Search and seizure with warrant
Search and seizure without warrant
Access to computerized data
Obstruction to search offence
Power to require production of computer, book, account, etc
Power to require attendance of persons acquainted with case
Examination of persons acquainted with case
Forfeiture of computer, book, account, etc seized
Power of arrest

Query: No civil remedies, no compensation.

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Miscellaneous
Transfer of data to places outside Malaysia
A data user shall transfer any personal data of a data subject to a place outside
Malaysia, except if
the data subject has given his consent;
the transfer is necessary for the performance of a contract;
the transfer is for the purpose of any legal proceedings, legal advice or
legal rights;
the transfer is for the avoidance of adverse action against the data subject;
the personal data will not be processed in contravention of the Act;
the transfer is necessary to protect the vital interests of the data subject;
the transfer is necessary as being in the public interest.

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Offences and Protection

Offence by body corporate
If a body corporate commits an offence under this Act, a director, chief
executive officer, chief operating officer, manager, secretary or other
similar officer may be charged and may be deemed to have committed that
offence, unless he proves absence of knowledge, consent or connivance;
and due diligence.
Protection of informers
No witness in any civil or criminal proceedings shall be obliged to disclose
the name or address of any informer or the substance and nature of the
information received or state any matter which might lead to his discovery.

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Personal Data

Any commercially transacted

personal information
Directly or indirectly relates
to data subject
Information that are able to
identify a data subject

Sensitive Information with

an opinion on data subject

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Personal Data : Examples

Name
Passport Number
Identity Card Number
Driver License
Phone Number
Photograph
Finger Print
Email
IP Address
Apple ID?

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Sensitive Personal Data

Mental or physical information

Political opinion
Religious, Ideologist or similar
beliefs
Commission or alleged
commission offences
Types of information determined
by the Ministry

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Commercial Transaction

Supply or exchange of goods and

services
Agency

Finance and Investment

Banking and Insurance

Credit Reporting NOT IN SCOPE
*Credit Reporting Agencies Act
2010*

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Processing

Collecting
Holding

Storing
Recording
Etc
PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Offences & Penalties Examples

Non compliance to
requirements of
sensitive personal
data

Violating the Act

RM300K / 2
Years Prison

Failure to Register

RM500K / 3
Years Prison

Non compliance to
commissioners
requirements

RM200K / 2
Years Prison

Unauthorized
Processing

RM500K / 3
Years Prison

Unlawful Collection
/ Disclosure

RM500K / 3
Years Prison

Non compliance to
enforcement notice

RM200K / 2
Years Prison

Unauthorized
Oversea Transfer

PKF Avant Edge Sdn. Bhd.

RM200K / 2
Years Prison

RM300K / 2
Years Prison

www.pkfmalaysia.com

Coverage of PDPA

Person who process personal data

The decision maker

In Scope with
Commercial
Intent

Malaysia Businesses
Non-Malaysian Businesses

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Coverage of PDPA Cont.

Federal & States Government

Non-Commercial Transaction
Personal, Family & Household Affair
Not In Scope

Credit Reference Agencies

Data Processed out of Malaysia
PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

The 7 Principles

Security
Disclosure

Retention

Notice &
Choice

General

PKF Avant Edge Sdn. Bhd.

Data
Integrity

PDPA

Access

www.pkfmalaysia.com

The 7 Principles : General

Controls

Exceptions

PKF Avant Edge Sdn. Bhd.

User shall not process data without the

owner consent

Contractual purposes involving the

owner
At the request of the owner with a
view to entering into a contract
To protect the vital interest of the
owner
When legal issue is involved
www.pkfmalaysia.com

The 7 Principles : Notice & Choice

Control
Data user to notify owners in written format
The written notification shall comprise of :
Personal data being processed
Purpose of process
Owners rights & obligation
National language and English

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

The 7 Principles : Disclosure

Control
Personal data without owners consent, shall not be disclosed
unless:
Notified during collection or related purposes
Approved parties by the owner

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

The 7 Principles : Security

Control
Users are required to implement practical steps to protect:
Data from being lost
Data from being misuse
Data from being modified
Data from unintended use
Data from being destroyed
Users are required, when processing of data is on behalf of user:
Ensure processor provide sufficient guarantees on technical and
organization security
Take reasonable steps to ensure compliance of the guarantees

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

The 7 Principles : Security Cont

Exemption
For personal data personal, family or household affairs
Partially exempted, subjected on case by case basis:
Prevention or detection of crime
Apprehension or prosecution of offenders
Assessment of collection of Tax or Duty
Statistics or research
Court order
Regulatory

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

The 7 Principles : Retention

Control

Shall not be kept once the purpose is fulfilled

Indefinitely but must be destroyed once the initial purposed is
no longer valid

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

The 7 Principles : Data Integrity

Control
User shall take reasonable steps to ensure personal data:
Accurate
Complete
Non-Misleading
Constantly Updated with other related information

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

The 7 Principles : Access

Control
Users shall give owners access to their own personal data
Owners are able to correct their personal data when it is:
Inaccurate
Incomplete
Misleading
Not updated
Users are able to refuse the above if the reason is stated within the
act
Owners can stop/prevent user to process their personal data if:
Cause or may cause substantial damage
Cause or may cause substantial distress
Direct marketing
PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Examples within Malaysia

The High Court at Penang allowed claim for invasion of privacy in the
case of Lee Ewe Poh v Dr. Lim Teik Mau & 20 Anor [2010] 1LNS
1162 where it was held that a surgeon must obtain the consent of
their female patients before taking photographs of their intimate parts
during surgical procedures. Although that case can be categorized as a
breach of trust and confidentiality because of the doctor- patient
relationship, the High Court expressly allowed the Plaintiffs claim
which inter alia pleaded an invasion of her rights to privacy.

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Other Examples
The Sony Playstation Network Hacked Case in 2011
Sony was fined 250,000.00 for failing to adequately update its software
or keep its password secure
Sony notify all affect customer and provide a Hotline for enquiries
Upgrade of security protection
$171 Million was spent
The Hang Seng Bank Saving Account Applicants Data Collection
Excessive data collection of education and marital information
19 Branches and 9 out of 19 were found to be non-compliant
All 9 branch had to revamp their forms
Hospital lost of patients data due to portable storage devices
Policy and procedures were mandated
Endpoint Security Software installed to all affected hospital

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Hypothetical Walkthrough

E-Commerce Site
Register customer Collect personal identifiable data
Inform purpose on the form, rights of owner to access and correct data
Ensure collection, storage, processing complies to ALL principles
Must be explicit consent, no blanket consent
Ensure data is relevant to be processed
Ensure consent evidence is given, if oral, then pre-recorded (authorised) of
consent
Other methods of consent online clicking checkboxes, signoff etc
Challenge: Online (non face to face) is difficult to verify, as even clicking
checkboxes can be repudiated.

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Scenario

Hiring

Requirement when collecting candidate information

Requirement when using candidate provided information
When their status becomes non-candidate

Marketing
Survey

Security &
Retention

What can IT do to provide security? How secure is secure?

Security in Storage and Exchange
Backup, recovery and archiving procedure

PKF Avant Edge Sdn. Bhd.

Requirement before collecting information

Requirement when collecting information
Requirement after collecting information
Requirement when campaign is over

www.pkfmalaysia.com

Road Map to Compliance

PDPA Complied

Readiness

Monitor &
Review

Controls
Development

Audit

Gap
Assessment
Controls
Implementation
Risk
Assessment

PKF Avant Edge Sdn. Bhd.

Time Effort

www.pkfmalaysia.com

Overview of Activities
Start compliance now.
Review
documents to
determine
compliance.

Designate
special officer
to deal with
personal data
matters.

Start to acquire consent from data subjects.

Implement security
procedures to protect
against abuse of
personal data.

Engage personal data protection service providers who

may
Identify the gaps to meet the legal requirements and
any industry standards, and develop strategic
methods to address the gaps;
Develop structures, roles and responsibilities, policies
and procedures;
Audit processes and systems to assess compliance
with policies, standards and legal requirements;
PKF Avant Edge Sdn. Bhd.

Avoid collecting
sensitive information.
Appoint privacy officer
to deal with privacy
matters.
Implement
procedures to handle
customer complaints.

Provide and present

training and awareness
programmes.
www.pkfmalaysia.com

First Steps: Privacy Notice

Data user must explain why it is useful for the data subject to provide
this information (for further processing, further notifications etc)
Additional information must be provided, with clear links on how to get
these information
Clear guidance on how to access their personal information (email,
portal links, contact number etc)
Identification and assurance of 3rd party disclosure of information
In general, privacy notices should include:
What would the information be used for, and for what purpose
3rd party disclosure if any
Who the sender is
How the information can be accessed by the data subject

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

Fine, whats next

Generate awareness in the organisation
Awareness of internal policies for securing personal data
To create a culture of high awareness and to embed the protection of personal data in the organisation
Regular workshops, training and integration with orientation
Know your current state (Gap Assessment)
Understand the impact of PDPA to your businesses (in scope, out of scope)
Identify the gaps and shortcomings
Create a roadmap for remediation, action plan, project costs etc. Project Management should be established!
Obtain Senior Management Support
Define senior role or steering committee for PDPA, such as Data Privacy Officer
Define Information Security
Define an information protection strategy, program and policy.
Look into current security practices and refine
Execute security posture assessment
Develop short term compliance programmes, low hanging fruits, immediate remediation, risk assessment
Developing polices for PDPA
Policies and procedures should be developed across all functions, with input from legal
Periodic compliance audit
Conduct annual compliance or specific audit checks, such as IT audits and compliance audit

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com

3 Phase Approach to Compliance

Phase I

Gap Assessment and

Development of
Roadmap

Gap Analysis
Development of project
team
Comparison of company
capabilities requirements
Development of an
implementation roadmap,
budget, timeline

Phase 2

Remediation

Development of framework,
policies, processes, standards
and procedures
Development of information
security to comply to principles
Continuous awareness,
training and project
management
Benefits analysis

Phase 3

Compliance
Assessment

Audit process and systems

Implement continuous
monitoring and audit cycles
Re-assessments and
repeat cycle of gapremediate-comply

AVANTEDGE PDPA ASSESSMENT & IMPLEMENTATION

1.

Gap Assessment
Review Scope: Who is in scope, what is in scope, where is it stored?
Review Process of collection, usage, processing, storage, retention, destruction
Review PDPA documents T&C, privacy statements
Review Third party relationships and agreements
Review R&R
Review organisational processes against the seven principles
Review Security Posture Assessment (SPA), IT audit, Penetration testing etc
Develop remediation plans

2.

Implementation
Provide Project Management layer for the entire implementation for PDPA compliance
Provide offsite and onsite support to help develop policies and documentation
Provide updated information through our relationships with relevant agencies and associations
on the development of PDPA
Provide technology consulting on data leakage protection, authentication

WHY AVANTEDGE
1.

Expertise in Compliance
While PDPA is still not enforced, we are already well versed in compliance
exercises, having implemented international standards such as PCI-DSS and
ISO27001 for our clients. Where legal advisory is needed, we have onboard in our
team legal practitioners who will guide and oversee the formation of policies to
address the PDPA concerns.

2.

Powerful Network
Not only do we have the backing of 21,000 people in over 125 countries, we have
also established close relationships with countries that have gone through similar
personal data protection exercises, to leverage on their experiences and
knowledge base.

3.

Right Tools, Right People

We utilise GRC (Governance, Regulation and Compliance) technology from
Gartner Quadrant leading providers to run our compliance programs, and all our
consultants are certified in multiple technical, audit and product certifications.

SERVICE OFFERINGS BREAK DOWN

Risk Assessment
1) RISK-IT & COBIT
2) ISO27005
Audit Plans
1) Change Management
2) Cloud Management
3) Application Generic and Specific
4) Information Security
5) IT Continuity Plan
6) Outsourcing
7) Incident Management
8) Software Licensing
9) Social Media
10) Network Security
11) Systems Development Life Cycle

Compliance
Gap Assessment
Implementation
Certification Management
1) ISO 27001
2) ISO 20000
3) PCI DSS
4) ISO 9001
5) ISO 14001
6) BSA Review
7) PDPA Gap and Implementation
8) Custom Compliance Package
Training
1) ISO27001 & PCI DSS
2) Audit and Implementation
Project Management
1) PMO Team
2) Project Director
3) Project Manager
4) Business Process Consultant

FOR MORE INFORMATION

PKF Avant Edge Sdn. Bhd. (892515-W)

Email:

avantedge@pkfmalaysia.com

Web:

http://www.pkfmalaysia.com

TechBlog:

http://www.pkfavantedge.com

Twitter:

http://twitter.com/pkfavantedge

Address:

Level 33, Menara 1MK,

Kompleks 1 Mont Kiara,

No.1, Jalan Kiara, Mont Kiara
50480 Kuala Lumpur
Telephone:

+603 6203 1888

Facsimile:

+603 6201 8880

The End

PKF Avant Edge Sdn. Bhd.

www.pkfmalaysia.com