What does this cover?

In August 2015 we reported on the Malaysian Personal Data Protection Commission (PCPD) publishing its consultation paper on data protection and three new draft standards on data security, data retention and data integrity (the Draft Standards). It was the first time the PDPC had opted to use it power to produce legally binding standards under the Personal Data Protection Act 2010 (the PDPA).

Following this, on 23 December the Personal Data Protection Standards 2015 (the Standards) came in to force. Data protection principles are a new concept to Malaysia and the Standards' prescriptive format aims to clarify certain elements of the PDPA in order to provide organisations with guidance for implementation.

The Standards address some of the more subjective elements of the PDPA dealing with:

  • correcting data;
  • data collection and retention;
  • data storage; and
  • the physical transfers of data and records of such transfers.  

A copy of the Standards is available here (Malaysian).

The Standards are expected to be available in English shortly.

What action could be taken to manage risks that may arise from this development?

Global organisations operating in Malaysia are likely already familiar with the data protection requirements detailed in the Standards, but financial services companies should ensure these concepts are understood by local employees at all levels of the organisation to ensure effective compliance with the PDPA and the Standards.