How to comply with Malaysia’s Personal Data Protection Act (PDPA)?

Sameer Ahirrao -

Understanding global data privacy regulations can be complex, but it's crucial for businesses to minimize legal and financial risks. This blog will explain what PDPA Malaysia is, why it matters, and what responsibilities businesses need to fulfill, among other details.

What is PDPA Malaysia?

The Personal Data Protection Act (PDPA) in Malaysia governs how personal data of Malaysian residents is handled in commercial transactions. Introduced in 2010 and enforced starting on 15th November 2013, the PDPA is designed to protect personal data from misuse by businesses. It applies to anyone involved in processing personal data for commercial purposes, whether in Malaysia or abroad if the data pertains to Malaysian residents.

Key provisions include requiring consent before processing data, ensuring data security and integrity, and limiting data disclosure. The act is enforced by the Personal Data Protection Commissioner's office, which oversees compliance, offers guidance, and handles violations.

Who Does PDPA Malaysia Apply to?

The PDPA Malaysia applies to any business located in Malaysia or using Malaysian equipment to process personal data. This includes companies that:

  • Process personal data
  • Control data processing
  • Authorize data processing in commercial transactions

The PDPA has an "extra-territorial effect," meaning it can also apply to businesses outside of Malaysia if they use Malaysian equipment to process data or engage data processors in Malaysia.

However, the Act does not apply to the Malaysian Federal Government, State Governments, or personal data processed outside Malaysia unless it's intended for further processing within the country.

Under Section 2(4), a data user is considered established in Malaysia if:

  • They are physically present in Malaysia for at least 188 days in a calendar year
  • Incorporated under the Companies Act (Act 125)
  • Formed as a partnership or other unincorporated association under Malaysian law
  • Maintain an office, branch, agency, or regular practice in Malaysia

Basics of Compliance Under PDPA Malaysia

Like other data privacy laws, such as Singapore's PDPA, the Malaysian Personal Data Protection Act is built on specific principles and provides individuals with certain rights.

Let's explore these principles and rights in the following sections:

Malaysia PDPA Principles

The Malaysian PDPA is built on seven key principles that data users must adhere to:

General Principle: Personal data cannot be processed without the data subject's consent unless the processing is necessary for:

  • Fulfilling legal obligations
  • Performing a contract
  • Taking steps requested by the data subject to enter into a contract
  • Protecting the subject's vital interests
  • Administering justice
  • Carrying out functions authorized by law

Notice and Choice Principle: Data users must inform the data subject in writing about:

  • The processing of their personal data and a detailed description of it
  • The purposes for which the data is processed
  • The source of the data
  • The data subject’s rights to access and correct the data, along with contact information for inquiries and complaints
  • Any third parties with whom the data may be shared
  • The options available to limit the processing of their data
  • Whether the data subject is required to provide the data
  • The consequences of not providing the data if it is required

Disclosure Principle: Personal data cannot be disclosed without the data subject’s consent, unless:

  • The purpose for disclosure was made clear at the time of collection
  • The disclosure is for a purpose directly related to the initial purpose

Security Principle: Data users must take appropriate measures to protect personal data from loss, misuse, unauthorized or accidental access, disclosure, alteration, or destruction during processing.

Retention Principle: Personal data should only be retained for as long as necessary to achieve the intended processing purpose. Once that purpose is fulfilled, the data must be permanently destroyed.

Data Integrity Principle: Personal data must be kept accurate, complete, up-to-date, and not misleading for its intended purpose. It is the data user's responsibility to ensure this by taking necessary actions.

Access Principle: Data subjects have the right to access their data held by the data user and correct any inaccuracies, incomplete information, outdated data, or misleading details.

Data Subject Rights

Under PDPA Malaysia, individuals have several rights regarding their personal data:

  • Right of Access to Personal Data: Individuals have the right to be informed about the processing of their personal data by the data user or on behalf of the data user. The data user must respond to any request for access to personal data in a clear and understandable manner.
  • Right to Correct Personal Data: Individuals can request that the data user correct any inaccuracies, misleading information, or outdated data that has been collected about them.
  • Right to Prevent Processing Likely to Cause Damage or Distress: If data processing could potentially cause harm or distress, the individual can issue a "data subject notice" to the data user to stop or avoid starting the processing.
  • Right to Prevent Processing for Direct Marketing: If personal data is being or will be used for direct marketing (e.g., promoting products or services via email, SMS, or online ads), the individual can request the data user to stop this processing. If the data user doesn't comply, the individual can appeal to the Commissioner, who can enforce compliance.
  • Right to Withdraw Consent: Individuals can withdraw their consent for data processing at any time by sending a written notice to the data user.

How to Comply with PDPA Malaysia?

If you're doing business in Malaysia or have customers there, it's crucial to comply with PDPA Malaysia. Here are some key steps to help you do that:

1) Obtain Explicit Consent

Before collecting, using, or disclosing personal data, you must obtain explicit consent from the individual. This consent should be given voluntarily, and the individual must be informed about the purpose of processing, the types of personal data being collected, retention periods, and any third parties who will have access to their data. Remember, individuals can withdraw their consent at any time.

2) Conduct a Personal Data Audit

Carry out a comprehensive audit of the personal data you hold, including how it's processed, where it's stored, and who has access to it. This audit will help ensure your organization meets its compliance obligations under the PDPA.

3) Develop Clear Data Protection Policies

Establish and enforce clear policies and procedures for protecting the personal data you process. This includes defining who has access to the data, how you handle data subject requests, and more. These policies should cover data localization, cybersecurity, and other relevant areas. Ensure these policies and procedures are well-communicated throughout your organization.

4) Implement Robust Data Security Measures

Establish strong physical and digital security protocols to protect personal data from unauthorized access, loss, disclosure, misuse, alteration, or destruction.

5) Create a Data Breach Response Plan

Develop a comprehensive response plan for data breaches. This plan should include notifying the Commissioner, containing the breach, and assessing the impact on affected customers.

6) Provide Regular Training and Education

Regularly train and educate your employees on data protection and their responsibilities under PDPA Malaysia to ensure they understand and comply with the law.

Penalties for Non-Compliance

The Personal Data Protection Act of Malaysia imposes strict penalties for non-compliance, which are enforced by the Commissioner.

  • Violating PDPA principles can result in a fine of up to 300,000 ringgit (approximately $64,500), a prison sentence of up to two years, or both.
  • If a data user fails to comply with a data subject’s rights request, they could face a fine of up to 200,000 ringgit (around $43,000), up to two years in prison, or both.
  • If a data user continues processing data after their registration has been revoked, they could be fined up to 500,000 ringgit or sentenced to up to three years in prison, or both.

Conclusion

This comprehensive guide aims to help you understand PDPA Malaysia, including its purpose, principles, data subject rights, and your compliance responsibilities.

What's the next step for your business? You can either have your data protection officer implement these guidelines or let Ardent Privacy take care of it for you!

How Ardent Privacy helps to comply with Malaysia PDPA?

Ardent Privacy supports compliance with Malaysia's Personal Data Protection Act (PDPA) in several ways:

  • Data Discovery and Classification: Ardent Privacy helps organizations identify and classify personal data within their systems. This aligns with the PDPA’s requirement for organizations to understand what personal data they hold and how it is used.
  • Consent Management: The platform offers tools to manage and track consent, which is a key requirement under the PDPA. It helps ensure that consent is obtained before processing personal data and that records of consent are maintained.
  • Data Protection Impact Assessment (DPIA): Ardent Privacy supports the conduct of DPIAs, which are necessary under the PDPA for assessing and mitigating risks associated with the processing of personal data.
  • Data Subject Rights: The platform facilitates the handling of data subject requests, such as requests for access, correction, and deletion of personal data. This ensures that organizations can comply with the PDPA’s requirements for responding to such requests in a timely manner.
  • Data Security Measures: Ardent Privacy provides tools for implementing and monitoring data security measures, helping organizations protect personal data from unauthorized access and breaches, as required by the PDPA.
  • Data Retention and Disposal: The platform supports data retention and disposal policies, helping organizations comply with the PDPA’s requirements for retaining personal data only as long as necessary and securely disposing of it when no longer needed.
  • Reporting and Documentation: Ardent Privacy offers robust reporting capabilities to generate compliance documentation and audit trails. This helps organizations demonstrate their adherence to the PDPA during audits and inspections.
  • Privacy by Design: The platform encourages incorporating privacy by design principles into business processes and systems, ensuring that data protection considerations are integrated from the outset of any project or system development.

By leveraging these features, Ardent Privacy aids organizations in meeting the compliance requirements of the Malaysian PDPA and enhancing their overall data protection practices.