The Personal Data Protection Act 2010 (PDPA) was gazetted by the Malaysian Government on the 14 November 2013 and came into force the next day. With a three month period for companies to comply, Malaysia is the first country in Southeast Asia to have an enforceable comprehensive data protection law. This puts Malaysia into new territories, as businesses operating in Malaysia and the citizens navigate these uncharted waters, each of them understanding their new rights and responsibilities. At the center of this would be the Malaysian Government, and specifically, the Personal Data Protection Department.
If the experiences of other jurisdictions with more mature data protection legislations are an accurate gauge, the first year will bring with it a number of challenges. The public education issue noted earlier would be one of those faced by Malaysia. Companies with multi-national footprints would need to ensure that their data privacy policies are compliant with the requirements of the PDPA.
However, with the PDPA having similar principles to those from jurisdictions like Europe, these larger enterprises will have the necessary expertise and resources on hand to prepare themselves. The greater concern should be on the smaller companies, many of whom have to deal with data protection for the first time. For a small company, this can be quite daunting, from registering themselves pursuant to the Act, to drafting data use policies as well as understanding the circumstances by which personal data can and cannot be collected; even to obtaining consent and providing avenues for data owners to withdraw consent.
Taking the first step
The most important consideration for all organisations, large or small, is to begin a more in depth consideration of whether it is necessary to collect that particular piece of information about their customer. Where possible, the necessary assistance and guidance needs to be made available for them. Here, the long gap between the passing of the law and it being gazetted works to give these companies time to build the capability and understanding. The Government's effort in pushing this over the past years should hopefully lead to a smooth transition when the law is being enforced.
For consumers in Malaysia, the challenge is also to understand their rights under the PDPA. For the layman, the concept of data privacy can be quite foreign and the intricacies of 'consent' can easily seem to be an over complication of a simple matter. However, it is important that they are properly informed on these intricacies. This will allow them to make an informed decision every time they are asked to provide personal data, based on what they understand they are giving (or denying) permission for. This will also reduce the occurrence of frivolous complaints, where the company might have correctly obtained permission but the consumer does not understand correctly what permission was given.
Sign up for CIO Asia eNewsletters.