1. HALF-DAY PUBLIC SEMINAR ON
MALAYSIAN PERSONAL DATA
PROTECTION ACT (PDPA) 2010
25 July 2011, Monday, 9.30 am โ 12 pm
Legal Training Room, Menara SSM @ Sentral
By Noriswadi Ismail
Quotient Consulting
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
2. Vignette 1
Harimau Malaya, Malaysian, holds a Malaysian
ID, passport, driving license, 3 Malaysian bank
accounts, 2 mobile accounts and 5 loyalty
membership cards. His details are also
registered in 2 private clinics, 1 government
hospital and 2 insurance companies. He has 1
bank account in London and Hong Kong
respectively. He travels frequently for business
and golfing. He is a director of 3 companies in
Malaysia, London and Hong Kong. Also, an avid
golfer of 3 golf clubs (Malaysia, Indonesia and
Scotland).
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
3. Executive Summary
Q: What is PDPA 2010?
Q: Why we need to comply with PDPA 2010?
Q: What are the 7 data protection principles?
Q: Will PDPA 2010 kill my business operations?
Q: To what extend PDPA 2010 affects your business operations?
Q: We are a start-up and a semi medium sized company, how
should we strategise?
Q: When should we start?
Q: Is there any additional compliance cost for this purpose?
Q: How about formality and enforcement?
Q: Whatโs next and the must-to-do list?
Q: How to ensure such data protection & privacy management
sustainable?
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
4. What is PDPA 2010?
::: An Informational privacy legislation
::: 10 Parts (Preliminary, Personal Data Protection Principles,
Registration, Data user forum and Code of practice, Rights of
data subject, Exemption, Personal data Protection Fund,
Personal Data Protection Advisory Committee, Appeal Tribunal,
Inspection, Complaint and Investigation, Enforcement,
Miscellaneous, Savings and Transitional Provisions)
::: 146 Sections
::: Jurisdiction: Malaysia
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
5. What is PDPA 2010?
::: Received Royal Assent on 2 June 2010, and gazetted a week
later
::: Compliance commences: 3 months from the date of
enforcement
::: Application: To commercial transactions only, not applicable
to Federal and State Governments
::: Cross reference to: Electronic Commerce Act 2006โs definition
on commercial transactions โโฆany transaction of a commercial
nature, whether contractual or not, which includes any matters
relating to the supply or exchange of goods or services, agency,
investments, financing, banking, insurance, but does not include
a credit reporting business carried out by a credit reporting
agencyโฆโ
7/23/2011 (c) 2011 Quotient Consulting, Information is Invaluable.
6. What is PDPA 2010?
โข An authorised โข Oversees and
person who enforces the Laws
processes data on โข Fund: Personal
behalf of the data Data Protection
user Fund
Data
Regulator*
Processor
Data
Data User
Subject
โข Individual who is โข A person / legal
the subject of the person who
personal data controls /
authorises the
processing of data
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
7. What is PDPA 2010?
*Regulator
Minister
Data Protection
Commissioner
Personal Data Data User Forum
Protection Advisory
Committee
Appeal Tribunal
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
8. What is PDPA 2010?
Question:
Question:
What about
What about
Government to
Government Linked
Governmentโs
Companies (GLCs)?
engagements?
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
9. What is PDPA 2010?
Question:
Question: What about
transactions between
What about transborder government and non-
data flow? governments?
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
10. Why We need to comply
with PDPA 2010?
Recognition of privacy
(informational) as one of the
fundamental human rights
Protection of invaluable data
that are sensitive, being
commoditised and having the
vast potentials to being
commoditised
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
11. What are the 7 data protection
principles?
P1: General Principles โ Consent, Sections 6(1) โ (3)
Lawful Purpose, Necessary, Adequate
and Not Excessive
P2 : Notice and Choice Principle Section 7 (1)
P3: Disclosure Principle Section 8, cross reference
to Section 39
P4: Security Principle Section 9(1) & (2)
P5: Retention Principle Section 10
P6: Data Integrity Principle Section 11
P7: Access Principle Section 12
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
12. Will PDPA 2010 kill my business operations?
::: Yes, if, your business operations are inconsistent and non
compliance with the PDPA 2010โs 7 data protection principles;
::: Yes, if, your business operations do not have the necessary
framework, control, management and monitoring of the 7 data
protection principlesโ requirements;
::: No, as PDPA 2010 enhances trust, value and reputation of
your business; and
::: No, as PDPA 2010 seeks to safeguard all of your data
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
13. To what extend PDPA 2010 affects
your business operations?
Corporate Office
Marketing &
(HR, Legal,
Business
Finance, Audit &
Development
Administration)
Business Local &
Partners & International
Contractors engagements
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
14. To what extend PDPA 2010 affects
your business operations?
Documentation
Categorisation (Forms,
of data Agreements &
Policies)
ICT deployment Human capital
(skills &
(Data security) trainings)
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
15. We are a start-up and a semi medium sized
company, how should we strategise?
Controls &
Systems
Planning &
Execution
Partial Back-to-Back
Outsourcing Arrangement
Route & Execution
Adequacy
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
16. We are a start-up and a semi medium sized
company, how should we strategise?
Cost
Resources & Culture &
Skills Awareness
Limitations
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
17. When should we start?
Assumption 1 If the date of enforcement is
within Quarter 2 of 2012, itโs
recommended to start the
planning & execution by Quarter
4 of 2011 โ Quarter 1 of 2012
Assumption 2 If the date of enforcement is
within Quarter 1 of 2012, itโs
recommended to start the
planning & execution NOW
Key Assumption The proposed Malaysian Data
Protection Commissioner will be
established in Quarter 1 of 2012
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
18. Vignette 2
Keranamu is a Government Consultant who
advises on strategic acquisition of certain
stakes in Company 76, a public listed
company, incorporated in Hong Kong. The
proposed acquisition is channeled through a
leading Government Investment arm.
Company 76 appoints an European-based
consultant to act on their behalf in the
negotiations.
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
19. Is there any additional compliance cost
for this purpose?
::: Yes, subject to the budget, resource
planning & business plans
::: No, if it has been anticipated
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
20. How about formality and enforcement?
Registration of Data
Power of
User โ Certificate Report, complaint
investigation,
(Renewal, and investigation by
search & seizure
Revocation & Commissioner
with warrant
Surrender)
Notification &
Enforcement Notice Power of arrest
Access Request
Inspection of Variation or
Personal Data cancellation of Prosecution
System Enforcement Notice
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
21. How about formality and enforcement?
Offences by body Jurisdiction:
Register
corporate Sessions Court
Transfer of personal
Compounding of Protection of
data to places
offences Informers
outside Malaysia
Abetment and Protection against
Unlawful collecting
attempt punishable suit and legal
of personal data
as offences proceedings
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
22. Vignette 3
Truly Asia Travels & Tours has been appointed
by some governmental agencies and private
companies as their exclusive travel agent. The
terms of reference include managing such
flight, hotel, travel itinerary and related
bookings. The amount of data processing of
data subjects, transfers and sharing are done
globally.
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
23. Whatโs next and the to-do-list?
::: Strategic planning
::: Resource planning
::: Dissemination planning
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
24. Whatโs next and the to-do-list?
::: Strategic planning
Board Leadership DPP as part and parcel of
organisation/companyโs Key
Performance Indicators (KPIs)
Senior Management Driving DPP across the whole
spectrum of organisation/company
Managers & Overseeing & monitoring the
Working Team required affected portfolios that
intersect with PDPA 2010
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
25. Whatโs next and the to-do-list?
::: Resource Planning
Portfolio & Reporting Subject to the setting of the
creation/structure Corporate Officeโs structure
Skills & knowledge enhancement Training, Consultation &
Certification
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
26. Whatโs next and the to-do-list?
::: Dissemination Planning
Data Protection & Privacy Across the organisation / company
Campaign
Worldโs Data Protection Day 28th January (of the year)
Event
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
27. How to ensure such data protection & privacy
management sustainable?
Trust
Monitored
compliance,
Culture controls and
execution
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
28. Vignette 4
Hospitals A1, A2 & A3 are government
hospitals. These hospitals deal with patients
who mostly consist the public and engage with
local and international consultants.
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
29. Vignette 5
Universities B1, B2 & B3 are public
universities. These universities engage with
local and international students, consultants,
international academics and universities
globally.
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
30. THANK YOU
QC TM
London. Kuala Lumpur. Jakarta
Data Diagnosis | Privacy Impact Assessment | Data Protection & Privacy Strategy
Training | Data Protection & Privacy Certification | Public & Private Consultations
<noriswadi@googlemail.com>
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable