half day public-seminar_on_pdpa_2010_-_250711

HALF-DAY PUBLIC SEMINAR ON MALAYSIAN PERSONAL DATA PROTECTION ACT (PDPA) 2010

25 July 2011, Monday, 9.30 am – 12 pmLegal Training Room, Menara SSM @ Sentral

By Noriswadi Ismail

Quotient Consulting

7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable

Vignette 1

Harimau Malaya, Malaysian, holds a MalaysianID, passport, driving license, 3 Malaysian bankaccounts, 2 mobile accounts and 5 loyaltymembership cards. His details are alsoregistered in 2 private clinics, 1 governmenthospital and 2 insurance companies. He has 1


hospital and 2 insurance companies. He has 1bank account in London and Hong Kongrespectively. He travels frequently for businessand golfing. He is a director of 3 companies inMalaysia, London and Hong Kong. Also, an avidgolfer of 3 golf clubs (Malaysia, Indonesia andScotland).

Executive Summary

Q: What is PDPA 2010?

Q: Why we need to comply with PDPA 2010?

Q: What are the 7 data protection principles?

Q: Will PDPA 2010 kill my business operations?

Q: To what extend PDPA 2010 affects your business operations?

Q: We are a start-up and a semi medium sized company, howshould we strategise?should we strategise?

Q: When should we start?

Q: Is there any additional compliance cost for this purpose?

Q: How about formality and enforcement?

Q: What’s next and the must-to-do list?

Q: How to ensure such data protection & privacy managementsustainable?


What is PDPA 2010?

::: An Informational privacy legislation

::: 10 Parts (Preliminary, Personal Data Protection Principles,Registration, Data user forum and Code of practice, Rights ofdata subject, Exemption, Personal data Protection Fund,Personal Data Protection Advisory Committee, Appeal Tribunal,Inspection, Complaint and Investigation, Enforcement,Inspection, Complaint and Investigation, Enforcement,Miscellaneous, Savings and Transitional Provisions)

::: 146 Sections

::: Jurisdiction: Malaysia


What is PDPA 2010?

::: Received Royal Assent on 2 June 2010, and gazetted a weeklater

::: Compliance commences: 3 months from the date ofenforcement

::: Application: To commercial transactions only, not applicableto Federal and State Governmentsto Federal and State Governments

::: Cross reference to: Electronic Commerce Act 2006’s definitionon commercial transactions “…any transaction of a commercialnature, whether contractual or not, which includes any mattersrelating to the supply or exchange of goods or services, agency,investments, financing, banking, insurance, but does not includea credit reporting business carried out by a credit reportingagency…”

7/23/2011 (c) 2011 Quotient Consulting, Information is Invaluable.

What is PDPA 2010?

• Oversees and enforces the Laws

• Fund: Personal Data Protection Fund

• An authorised person who processes data on behalf of the data user

Data Processor Regulator*

• A person / legal person who controls / authorises the processing of data

• Individual who is the subject of the personal data

Data UserData Subject


What is PDPA 2010?*Regulator

Data ProtectionCommissionerPersonal Data

Protection Advisory Data User Forum

Minister


Protection Advisory Committee

Appeal Tribunal

What is PDPA 2010?

Question:What about

Question:What about What about

Government Linked Companies (GLCs)?

What about Government to Government’s engagements?


What is PDPA 2010?

Question:

Question:What about

transactions between Question:

What about transborder data flow?

transactions between government and non-

governments?


Why We need to complywith PDPA 2010?

Recognition of privacy (informational) as one of the fundamental human rights

Protection of invaluable data that are sensitive, being commoditised and having the vast potentials to being commoditised


What are the 7 data protection principles?

P1: General Principles – Consent, Lawful Purpose, Necessary, Adequate and Not Excessive

Sections 6(1) – (3)

P2 : Notice and Choice Principle Section 7 (1)

P3: Disclosure Principle Section 8, cross reference to Section 39


to Section 39

P4: Security Principle Section 9(1) & (2)

P5: Retention Principle Section 10

P6: Data Integrity Principle Section 11

P7: Access Principle Section 12

Will PDPA 2010 kill my business operations?

::: Yes, if, your business operations are inconsistent and noncompliance with the PDPA 2010’s 7 data protection principles;

::: Yes, if, your business operations do not have the necessaryframework, control, management and monitoring of the 7 dataprotection principles’ requirements;

::: No, as PDPA 2010 enhances trust, value and reputation ofyour business; and

::: No, as PDPA 2010 seeks to safeguard all of your data


To what extend PDPA 2010 affects your business operations?

Corporate Office (HR, Legal,

Finance, Audit & Administration)

Marketing & Business

Development


Business Partners & Contractors

Local & International engagements

To what extend PDPA 2010 affects your business operations?

Categorisationof data

Documentation(Forms,

Agreements & Policies)


ICT deployment(Data security)

Human capital (skills &

trainings)

We are a start-up and a semi medium sized company, how should we strategise?

Partial Outsourcing

Route

Controls & Systems

Planning & Execution

Back-to-BackArrangement & Execution


Adequacy

Route & Execution

We are a start-up and a semi medium sized company, how should we strategise?

Resources & Skills

Cost

Culture & Awareness


Limitations

When should we start?

Assumption 1 If the date of enforcement is within Quarter 2 of 2012, it’s recommended to start the planning & execution by Quarter 4 of 2011 – Quarter 1 of 2012

Assumption 2 If the date of enforcement is within Quarter 1 of 2012, it’s


within Quarter 1 of 2012, it’s recommended to start the planning & execution NOW

Key Assumption The proposed Malaysian Data Protection Commissioner will be established in Quarter 1 of 2012

Vignette 2

Keranamu is a Government Consultant whoadvises on strategic acquisition of certainstakes in Company 76, a public listedcompany, incorporated in Hong Kong. Theproposed acquisition is channeled through aleading Government Investment arm.


leading Government Investment arm.Company 76 appoints an European-basedconsultant to act on their behalf in thenegotiations.

Is there any additional compliance cost for this purpose?

::: Yes, subject to the budget, resourceplanning & business plans

::: No, if it has been anticipated


How about formality and enforcement?

Registration of Data User – Certificate

(Renewal, Revocation & Surrender)

Notification & Access Request Enforcement Notice

Report, complaint and investigation by

Commissioner

Power of investigation,

search & seizure with warrant

Power of arrest


Access Request

Inspection of Personal Data

System

Variation or cancellation of

Enforcement Notice

Enforcement Notice Power of arrest

Prosecution

How about formality and enforcement?

Register

Transfer of personal data to places Compounding of

offences

Offences by body corporate

Jurisdiction:Sessions Court

Protection of Informers


data to places outside Malaysia

Unlawful collecting of personal data

Abetment and attempt punishable

as offences

offences Informers

Protection against suit and legal proceedings

Vignette 3

Truly Asia Travels & Tours has been appointedby some governmental agencies and privatecompanies as their exclusive travel agent. Theterms of reference include managing suchflight, hotel, travel itinerary and related


flight, hotel, travel itinerary and relatedbookings. The amount of data processing ofdata subjects, transfers and sharing are doneglobally.

What’s next and the to-do-list?

::: Strategic planning

::: Resource planning


::: Dissemination planning

What’s next and the to-do-list?::: Strategic planning

Board Leadership DPP as part and parcel of organisation/company’s Key Performance Indicators (KPIs)

Senior Management Driving DPP across the whole


Senior Management Driving DPP across the whole spectrum of organisation/company

Managers &Working Team

Overseeing & monitoring the required affected portfolios thatintersect with PDPA 2010

What’s next and the to-do-list?::: Resource Planning

Portfolio & Reporting creation/structure

Subject to the setting of the Corporate Office’s structure

Skills & knowledge enhancement Training, Consultation & Certification


Certification

What’s next and the to-do-list?::: Dissemination Planning

Data Protection & Privacy Campaign

Across the organisation / company

World’s Data Protection Day Event

28th January (of the year)


Event

How to ensure such data protection & privacy management sustainable?

Monitored

Trust


Culture

Monitored compliance, controls and execution

Vignette 4

Hospitals A1, A2 & A3 are governmenthospitals. These hospitals deal with patientswho mostly consist the public and engage withlocal and international consultants.


local and international consultants.

Vignette 5

Universities B1, B2 & B3 are publicuniversities. These universities engage withlocal and international students, consultants,international academics and universities


international academics and universitiesglobally.

THANK YOU

QC TM

London. Kuala Lumpur. JakartaLondon. Kuala Lumpur. Jakarta

Data Diagnosis | Privacy Impact Assessment | Data Protection & Privacy Strategy

Training | Data Protection & Privacy Certification | Public & Private Consultations

<[email protected]>


half day public-seminar_on_pdpa_2010_-_250711

Economy & Finance