You’ve never heard of the PDPA 2010?
If you run a Sdn Bhd and don’t already know the Personal Data Protection Act 2010, please give your Company Secretary a spanking because it’s their job to make sure you know!
Then tell them to stand in the corner for half an hour.
Just like the Companies Act 2016, the Personal Data Protection Act 2010 is a crucial piece of legislation for company directors in Malaysia to understand to keep business operations fully compliant.
The bubble of limited liability bursts when you break the law.
Key Takeaways:
- The Personal Data Protection Act (PDPA) 2010 governs the collection and use of individual personal data for commercial purposes in Malaysia.
- Personal data refers to any piece of information that by itself or when combined with other pieces of information can identify a specific real life individual.
- A business that collects and stores personal data has a legal duty to protect against said data being leaked.
- The PDPA 2010 sets out expected standards with regards to reasonable data collection and storage which all businesses must obey.
- There are a host of offences under the PDPA with fines ranging from RM100,000 – RM500,000 and prison terms from 1 – 3 years.
- We list the three most relevant offences the average SME owner should know about below.
- By far, the biggest contributor to data breaches are mistakes and criminal acts by employees.
- Engage our digital company secretarial team to learn how we can ensure your company SOPs are fully compliant with the PDPA 2010.
Alright, so what’s the PDPA 2010?
The Personal Data Protection Act (PDPA) 2010 governs the collection and use of individual personal data for commercial purposes in Malaysia.
Its purpose is to protect individuals from having their lives compromised by personal data collection, storage, and usage by businesses operating in Malaysia (yes, foreign businesses must also comply).
Unfortunately, many businesses aren’t aware this act even exists,
They are also unaware that they every day, they casually commit offences that can rack up fines up to half a million Ringgit and imprisonment for company directors.
All it takes is one data breach due to carelessness and the board of directors will soon have a new vacancy.
The PDPA in a nutshell
You can find a full list of act terminology on the official Department of Personal Data’s page.
For now, here’s what you need to know to understand your responsibility.
- A business (and its employees) that collects, stores, and makes use of personal data for commercial purposes is referred to as a ‘data user’.
- Persons whose data a business stores for commercial use are referred to as ‘data subjects’, and can include customers, directors, shareholders, and employees.
- Third parties handling data on behalf of the business are referred to ‘data processors’, such as software subscriptions.
Personal data refers to any piece of information that by itself or when combined with other pieces of information can identify a specific real life individual, such as:
- names
- dates of birth
- phone numbers
- email addresses
- physical addresses
- MyKad numbers
- religious beliefs
- political affiliations
- medical records
A data user has a legal duty to protect against a data subject’s personal data being leaked, compromised, stolen, or misused. In other words, if there is a data breach despite the company meeting the safety standards of the PDPA, no offence has been committed.
If you’re familiar with how SMEs operate, however, you know that’s a pretty big ‘if’.
Often, what happens is a pretty big ‘oof’ – which brings us to our main section.
3 key offences under the PDPA 2010
In total, there are 19 offences under the Personal Data Protection Act 2010.
We’re sure one day an enterprising fellow will invent a new way to commit an offence.
Then the government can bump the list up to a more satisfying 20.
In the meantime, we’re listing out the top three most potentially damaging candidates.
With a clearer understanding of what constitutes an offence under the PDPA, our readers can hopefully self-audit internal workflows and implement necessary changes.
1. Transfer of personal data to places outside Malaysia
129 (1) A data user shall not transfer any personal data of a data subject to a place outside Malaysia unless to such place as specified by the Minister, upon the recommendation of the Commissioner, by notification published in the Gazette.
Although there are legitimate cases to transfer personal data overseas, it must be after due diligence has been done to ensure that any third-party data processors are legitimate and will not misuse the data.
This includes uploading documents and files to third party websites to have them modified or scanned, such as to add a signature to a PDF document. Those servers are often overseas, and a malicious threat actor can quickly ferry your user’s personal data halfway across the world.
Penalty: a fine up to three hundred-thousand-ringgit, imprisonment up to two years, or both
2. Failure to obey Personal Data Protection Principles
5 (1) The processing of personal data by a data user shall be in compliance with the following Personal Data Protection Principles, namely the General Principle, the Notice and Choice Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data Integrity Principle, and the Access Principle,
We’ll cover the seven Personal Data Protection Principles in a separate post, but in general these principles address how data users must obtain consent from data subjects, provide them with access to their personal data, and take precautions to keep it safe.
Think of lists of emails, names, and phone numbers with unrestricted access to everyone in the company, confidential files being shared on unsecured connections, and customers who have no idea their names are on your database, and you have a pretty slam dunk case for an offence.
Penalty: a fine up to three hundred-thousand-ringgit, imprisonment up to two years, or both
3. Unlawful collection & sale of personal data
(1) A person shall not knowingly or recklessly, without the consent of the data user collect or disclose personal data that is held by the data user or procure the disclosure to another person of personal data that is held by the data user.
If any employee, business department, or team, in your company is found guilty of collecting personal data without the customers’ knowledge or worse, selling/sharing it with outside parties, the company may be held liable for the unlawful collection of personal data.
Penalty: a fine up to five hundred-thousand-ringgit, imprisonment up to three years, or both
Solution: Clear company-wide SOPs
The number one reason for data breaches has always been human error.
It won’t do much good to install the best cybersecurity software the business can afford if employees are still prone to open blatantly suspicious emails.
If you haven’t already, consider taking the following steps:
- ensure that employees are kept up to date on how to handle personal data
- have clear and unified channels for distribution and storage across the organisation
- establish clear access levels between departments
- when in doubt, always best to err on the side of caution.
- never disclose personal data to external third parties
- advise staff to not click on email links on their phones as the small screens obscure visibility
- ensure department heads understand the importance of informing and obtaining consent before collecting and storing personal data.
If there is a data breach and the authorities discover your entire HR department has set their database password as ‘password’, the entire company is likely to be held liable, and you as the director may be looking at prison time.
Let MISHU handle your data compliance needs
FAQs about the Personal Data Protection Act 2010
- What is the Personal Data Protection Act 2010 (PDPA)?
💡The PDPA is Malaysia’s first comprehensive personal data protection legislation to regulate the handling and processing of personal data in commercial transactions. - How is personal data defined under the PDPA?
💡Any information that relates directly or indirectly to a data subject (individual), who can be identified or identifiable from that information. This definition also encompasses sensitive personal data and expressions of opinion about the data subject. - What is considered sensitive personal data under the PDPA?
💡Information about the physical or mental health or condition of a data subject, their political opinions, religious beliefs or other beliefs of a similar nature, and any criminal offenses committed or alleged by the data subject. - Who is the authority responsible for implementing the PDPA?
💡That would be the Personal Data Protection Commissioner who is appointed by the Minister of Communications and Multimedia. - Which organisations are required to register under the PDPA?
💡Organisations operating in communications, banking and financial institutions, insurance, health, tourism and hospitality, transportation, education, direct selling, and various service industries must register under a specific class of data user. However, ALL companies are bound by the requirements of the PDPA even if they do not need to register for a license.