In Malaysia, the Personal Data Protection Act 2010 (“PDPA”) was introduced and implemented in order to protect individuals’ personal data in relation to commercial transactions. Due to recent development in 2019, there was an introduction of the Personal Data Protection Commissioner Malaysia (“PDCM”) with regards to inspections on business and commercial entities operating in Malaysia.
Our main focus here would be for Small to Medium Enterprises (SMEs) that have an online presence such as website for registration, website for sales, business through whatsapp. Therefore, in this article we will discuss the importance of being aware of PDPA to avoid from getting fined up to RM500,000.00 and other concerns which include:-
Don't worry, the solution is actually easy for you so you will not be fined in the future.
What is the importance of PDPA
Section 7 of the PDPA 2010 requires data users to inform a data subject in a written notice whereby their personal data is being or to be collected, used, disclosed and further disclosed. The PDPA is important as it provides guidance and the best practice rules for companies to follow on how to process personal data.
Now, let us delve into the definitions of data user, data subject and personal data briefly:-
a. Data User means a person who processes any personal data or has control over or authorizes the processing of any personal data.
b. Data Subject refers to an individual who is the subject/owner of the personal data.
c. Personal data refers to any information concerning commercial transactions, which is processed by means of equipment operating automatically in response to instructions given for that purpose. For example, the IC number, home addresses, contact details, etc.
There are principles that have to be followed by the data users which are:-
a. General Principle
This principle prohibits a data user from processing a data subject’s personal data without his/her consent.
b. Notice and Choice Principle
Data users are required to inform data subjects through written notice (or privacy notice) in both languages, English and Bahasa Melayu.
c. Disclosure Principle
This principle prohibits the disclosure, without the data subject’s consent on his/her personal data.
d. Security Principle
This principle requires data users to take steps to protect the personal data from any loss, misuse, modification, unauthorized access, alteration.
e. Retention Principle
Personal data cannot be retained longer than is necessary. Therefore, the data user has to ensure that the data is destroyed or permanently deleted when it is no longer in use.
f. Data Integrity Principle
Data user has to ensure that the personal data is accurate, complete, up to date, and is in relation for the purpose in which it was collected and processed.
g. Access Principle
The data subject has the right to access his/her own data and to correct the personal data that is inaccurate, incomplete, misleading or outdated. However, the PDPA provides certain grounds that the data user may refuse to comply with a data access request or data correction request by the data subject.
You have to take note that these principles must be followed and for further details of this principle, you can read more here.
What are the stakes/risks of getting fined
If you fail to comply/obey with the PDPA, serious consequences will be happening which will involve expensive and unnecessary civil lawsuits. Besides that, you and your business will face penalties and harsh punishments by the authority.
Failure to comply with the provisions under the PDPA is an offence where the maximum penalty would be up to RM500,000.00 and/or imprisonment for a term not exceeding 3 years.
Nonetheless, if your company commits such an offence under the PDPA, the persons involved can be charged separately or jointly in the same proceedings which depends on certain situations that you are in.
Some of the news in relation to violation of PDPA are such as below:
What are the steps to comply with the PDPA rules
There are essential steps that have to be taken by you especially if you are processing customers’ personal data. First and foremost, you have to familiarise yourself with the words “Privacy Notice” whereby this notice is to inform clients who you are, what are you going to do with the information you obtain, and other parties which the information is being disclosed to.
Our government has prepared a quick guideline in order to understand the importance of privacy notice as well as the drafting of it. You can find it here.
Briefly, we can explain to you the steps you need to do which are as follows:
Prepare privacy notices, in both Malay and English language. This must be issued to the customers.
Prepare a Personal Data Policy in which to govern the processing and handling of personal data by customers.
Prepare a Retention Policy for customers’ personal data and audit the personal data of previous customers in order to dispose of personal data that are no longer in use.
Establish a data access procedure for customers to access their personal data.
Ensure that the storage of the customers’ personal data is secure.
Ensure that personal data is disclosed for the purpose in which the personal data is collected and not disclosed to unrelated parties.
Ensure that the relevant personnel such as Human Resource or customer relationship staff are adequately trained in data protection laws and practice.
Review data collection forms so that personal data is not collected excessively.
Ensure that personal data are transferred overseas lawfully.
All in all, the notice has to be clear and specific as to the purposes of obtaining the personal data which have to be fully informed to the customers.
What are the costs incurred for PDPA notice and other compliance
There are registration fees and renewal fees that have to be incurred by you when you want to register yourself as a data user under the PDPA. You may refer to the Personal Data Protection (Registration of Data User) Regulations 2013, whereby the fees are categorized as follows:
a. Sole Proprietor – RM100
b. Partnership – RM200
c. Private Company – RM300
d. Public Company – RM400
Once you have registered, you will obtain a valid Certificate of Registration from the Commissioner. This is because data users are required under the PDPA 2010, to register with the Commissioner and also to avoid being fined.
Regardless of the nature of the business, if there is a commercial transaction, businesses are required to be registered, although small businesses are not specifically listed. This is based on “Frequently Asked Questions on PDPA” provided by our government’s website which you can find here.
Therefore, if you are one of the SME’s owners, you have to ensure that you comply with every requirement provided under the PDPA 2010 as well as the seven (7) principles stated above. You may contact a lawyer to seek legal advice with respect to the compliance of PDPA.
We hope that you have successfully grasped this whole article, especially the importance of complying to the PDPA rules. If you have any questions, you may contact us and let us help you in details.
Comments