Clock ticking for Personal Data Protection Act compliance
By Gabey Goh September 13, 2012
- Personal Data Protection Act expected to be enforced by end of 2012
- Many companies not ready to comply, have only three months to do so once the enforcement date announced
TIME is running out for Malaysian companies to comply with the imminent implementation of the Personal Data Protection Act (PDPA).
The PDPA is aimed at regulating the processing of the personal data of an individual who is involved in commercial transactions, by the data user, to provide protection to the individual's personal data and thereby protect the interest of the individual concerned.
Professor Abu Bakar Munir (pic, left), a professor of Law at University of Malaya, said that the ‘wait and see’ attitude being adopted by many companies in the country was not a good approach.
“Once the enforcement date is announced, companies will only have three months to comply with the Act and that is too short a time,” he said at a media forum on the PDPA’s enforcement hosted by security firm Symantec.
The PDPA was gazetted into law in June 2010 and was scheduled to be in force by June 2012 to allow time for the Information, Communications and Culture Ministry to set up a new Personal Data Protection Department, train staff, and select a commissioner to oversee the PDPA’s enforcement.
The June deadline for enforcement was postponed due to the need to finalize the regulations and rules related to the PDPA’s enforcement, such as the registration process companies will need to undergo.
“The PDPA does not state in detail things such as registration fees and processes, these are the issues now being outlined and will be provided upon its enforcement,” said Abu Bakar.
He added that in his conversations with relevant government agencies regarding the timeline for the PDPA’s implementation no confirmed date was given, however it is highly likely to take place by the end of this year.
Thirteen new criminal offences have been created by this Act, with penalties ranging from a maximum jail term of one year, a RM200,000 fine or both, to a maximum jail term of three years, a RM500,000 fine or both.
Offences include processing without a certificate of registration, processing after consent been withdrawn and failure to comply with the Commissioner’s Requirement.
Criminalization of offences
When asked why were the offences for non-compliance were criminal and not civil like in other countries with similar data protection laws, Abu Bakar said the decision was made during the development and drafting of the PDPA.
“For the act to be able to be enforced effectively, taking into account the track record of the country, the penalties had to be criminal,” he said.
“In this part of the world, without criminal penalties, it will be difficult to enforce the PDPA but even then there is no guarantee. We have some of the harshest drug laws in the world but it is still not a complete deterrent,” he added.
Among the enforcement mechanisms and power granted by the PDPA to the Commissioner, is the right to enter premises and seize equipment without a warrant for the purposes of investigations into offences, the power to arrest and recommend for prosecution.
When asked how independent the Personal Data Protection Department would be, Abu Bakar said it was a tricky issue as under the Act, the Commissioner is appointed by and accountable to the Information, Communications and Culture Minister.
Symantec Malaysia’s director of system engineering, Nigel Tan (pic above, right), concurred with Abu Bakar’s observation that not enough companies were ready to comply with the PDPA upon its enforcement.
“Based on my personal observations, I would put the percentage of companies doing so at less than 50%. Those that already are, have been working on compliance as early as two years ago when the Act was first gazetted,” he said.
Other on-going infractions include collecting data too early online and having privacy policies which are too brief or not prominently located.
Subhendu Sahu (pic, center), Symantec’s director for Government and Public Sector, Asia South Region, said that the threat landscape has changed significantly.
“Hackers have move from pure hacktivism to causing real damage to national infrastructure so it has become extremely important for government and companies that deal with nationally important data to have significantly stronger security safeguards,” said.
“We advise our clients to constantly review their security policies, being in external experts to vet internal processes, set incident response and recovery practises and most importantly, test them,” he added.
Malaysia leading the region
Subhendu said that it was fair to state that 50 to 60% of all countries are in some stage of implementing data privacy legislation and framework.
Within the region, Malaysia is the only country closest to fully implementing legislation surrounding data privacy and protection. In Singapore, the island nation’s Personal Data Protection Act had its first reading in Parliament this week, with the passing of the bill expected by year's end.
In countries with more mature data protection and privacy legislation, reforms are underway with the European Commission recently proposing a new set of data protection rules that include a "right to be forgotten" that will allow people to demand that organizations that hold their data delete that data, as long as there is no legitimate grounds to hold it.
“The inclusion of the ‘right to be forgotten’ is reflective of rapid rise of social media. The speed and expansion of digital technology has gone beyond what legal frameworks had originally foreseen,” Subhendu said.
He added that Symantec has also recommended that the Malaysian Government consider the inclusion of the mandatory notification requirements for Data Breach to strengthen the PDPA framework.
“Breach notification has an important educational leverage for users and policy makers to raise general awareness and should also incorporate reasonable limits to prevent over notification,” he said.
The inclusion of a 'safe harbor' principle was also proposed, where organizations demonstrating that the data has been secured to an adequate level of security, need not undertake any notification.
Tan said that companies seeking to comply with the upcoming enforcement of PDPA should view the steps to compliance as a necessary journey. Citing a global Symantec report, he said that 88% of companies experienced data loss and 59% of employees leave with data.
“Also, the average cost of a security breach is US$7.2 million, which includes the legal and compliance penalties a company would need to pay along with the ‘black eye’ the company will suffer to their public image,” he added.
According to him, the first step is to classify what data is sensitive and what is not. The second is to discover where the data resides so that appropriate controls can be put in place.
“This has been one of the biggest challenges faced by companies, just finding out where everything is physically located. In many cases, the data is sprawled across the organization, residing in different devices, being accessed by different users,” said Tan.
After which, the next step was to put controls and protection in place, based on where data is and how it is being used.
“For example, in the case of a desktop computer on company property with security guards patrolling the premises, the need for high encryption and remote wipe safeguards might be less than a thumb drive or mobile device,” he said.
To companies still reluctant about beginning the compliance process, Abu Bakar said that it is all boils down to practising respect and common sense. “It isn’t rocket science but there is a lot to do and time is running out.”