The hotly anticipated Malaysian Personal Data Protection Act (PDPA) was finally enforced on 15 November 2013. Along with other related regulations and orders, the PDPA introduces a comprehensive data protection framework that imposes broad obligations on “data users” (data controllers) who process personal data in respect of commercial transactions. The framework is similar to the EU regime and is evidence of the growing adoption on EU-style privacy law globally.
After much delay, companies may almost be forgiven for taking their time in preparing to comply with the provisions of the PDPA. However, what’s for sure, is that companies need to now take action… and fast. For personal data collected from the date of enforcement onwards, compliance with the PDPA is immediate. While for personal data collected prior to the date of enforcement, there is a short transition period for compliance of just three months.
So what positive steps must data users take? Some key steps include:
- Registering: Depending on the sector that a data user operates in, it may have to register under the PDPA.
- Implementing notices: Data users are required to prepare notices for data subjects that explain, amongst other things, the purposes in which they process personal data.
- Obtaining consent: As a general principle, data users are required to obtain consent to process personal data. However, data users may process personal data if one of a number of other conditions are fulfilled, e.g. the processing is necessary for the performance of a contract to which the data subject is a party.
- Preparing to handle data access requests: Data users must generally comply with a data access request within 21 days of receipt. Companies should consider implementing policies, procedures and training on how best to handle these requests going forward.
- Complying with data transfer restrictions: Transferring personal data outside Malaysia is prohibited unless it is to a pre-approved country. There are exceptions to this rule, which include obtaining data subject consent, or taking all reasonable precautions and exercising all due diligence to ensure that personal data will not be processed in a way that will contravene the PDPA. It is yet to be seen whether this latter exception will cover the use of model contracts or binding corporate rules.
…and the compliance list goes on. With sanctions that include fines of up to 500,000 Malaysian Ringgit (approx. £95,000 / USD 155,000) and/or imprisonment of up to three years, the clock is ticking to get your house in order.