Photo - Scott Thiel, Partner, DLA Piper Hong Kong.
As Malaysia's Personal Data Protection Act 2010 officially came into force on 15 November 2013, all Malaysia-linked businesses have three months to ensure they are fully compliant with the new privacy regime, said global law firm DLA Piper.
Speaking with Computerworld Malaysia, DLA Piper's Hong Kong based partner, Scott Thiel, said, "Malaysia's Personal Data Protection Act 2010 (PDPA) introduces a broad privacy regime in Malaysia for the first time. Prior to the PDPA, there were few requirements and little restrictions concerning personal data protection."
"The combination of statute, industry codes and common law was not adequate to fully regulate and protect the collection, use, processing, storage and transfer of personal data," said Thiel. "The PDPA will have a wide range of implications for businesses operating in Malaysia. Many businesses may lose the ability to fully commercialise existing (and potentially highly valuable) data if they are to operate in a manner, which is fully compliant with the PDPA."
"Businesses and organisations that operate within and through organisations in Malaysia need to be aware of these changes, as even usage of equipment in Malaysia that processes personal information would be subject to the Act," he said.
"The Personal Data Protection Act 2010 introduces new standards of fair dealing with regard to personal data in Malaysia, which entrenches the idea that an individual has the right to ensure that his personal information is accurate and is being used fairly in accordance with the law," Thiel said. "The growth of big data and a rise in cybercrime have necessitated privacy and personal data protection."
"The Act will have wide-ranging implications for businesses and organisations that deal with large volume of personal data," he added.
End the dangerous 'wait-and-see' approach
"Leading up to the enactment of the PDPA, many industries and businesses have taken the 'wait-and-see approach'," he said. "This approach was exacerbated by the extended delay in the implementation of the new laws."
"However, this approach has now created a compliance challenge as businesses now only have three months to comply with the PDPA (i.e. until 15 February 2014)," he said. "As we have seen in other jurisdictions [countries] that have implemented first generation privacy laws, many businesses will find that they have a long way to go to become meaningfully compliant and over-estimate their current level of compliance."
"This sentiment towards the PDPA is dangerous as the new regime provides sanctions including fines of up to RM300,000 [US$94, 236] and imprisonment for as much as two (2) years," he added.
"[In addition] the inevitable growth in awareness of the PDPA will lead to complaints - both legitimate and vexatious - and complaints are one of the most common triggers for regulatory investigation," said Thiel.
Sign up for CIO Asia eNewsletters.