In early May 2017, a company in the educational industry was charged under the Personal Data Protection Act 2010 (“PDPA”) for processing the personal data of former employees without a certificate of registration. If convicted, the maximum penalty is a fine of RM500,000 or up to three years in jail, or both.
It was the first case to be prosecuted under the PDPA, and based on our correspondence with Personal Data Protection Department (“PDPD“), it will be the first of many.
The PDPA has been in force since 2013, and we have been watching with increasing trepidation how general awareness in the business community has remained relatively low. Like the sword of Damocles hanging over the heads of non-complaint businesses, it was a matter of time before a data user will be booked under the PDPA.
Alas, those fears are now confirmed.
The PDPA applies to data users, i.e. businesses who processes personal data for commercial purposes. There are no hard and fast rules as to what constitutes personal data, but a good rule of the thumb is that if a data can personally identify a person, it is a personal data for the purposes of the PDPA.
Some categories of data users must be registered with the PDPD, they are listed below:
- Communications
- Banking
- Insurance
- Health
- Tourism/hospitality
- Transportation
- Education
- Direct selling
- Real Estate
- Utilities
- Pawnbrokers
- Moneylenders
- Services
This is a growing list and may continue to be expanded on. (For example, pawnbrokwers and moneylenders were added to the list in December 2016).
Upon successful registration, data users will be issued a certificate of registration. Data users who are in the list above but have not registered themselves may find themselves charged with an offence under the PDPA, like the company mentioned in the first paragraph of this article.
Data users that are not in the above categories do not need to register with the PDPD, but are still subject to other requirements in the PDPA.
All data users need to comply with 7 main principles (more information on those principles can be found here). The principles are detailed in the PDPA, and further supplemented in Personal Data Protection Regulations and most recently, the PDPA Standards.
Compliance with the principles is not particularly difficult. The PDPD has, in drawing up the policies, has made compliance commercially viable even for start-ups and SMEs. In short, it is not too burdensome to comply with the PDPA once you know what to look out for.
We were informed that the PDPD will be running compliance inspections of certain classes of data users. By the time PDPD informs you they are coming in, you will most likely not have enough time to put your compliance policies and standard operating protocols in place.
So, if you are in any doubt about your compliance with PDPA, time to get those doubts cleared for your own peace of mind.
***
About the author: Ian Liew is an associate in Donovan & Ho’s corporate and commercial practice group. He is an advocate and solicitor of the High Court of Malaya, and has advised clients on issues such as shareholders’ agreements, venture capitalist fund-raising, and mergers & acquisitions of businesses.
