"The act applies to data and processes that are carried out in Malaysia. This means someone who is using, for example, Facebook or Gmail to sell small items and stores data about their customers and transactions on the providers' servers, would come under the jurisdiction of the country where the servers and transactions are being carried out," said Abu Bakar.
Data protection is not rocket science
"The efficiency of computer networks as well as the rise of the Internet and personal computing behaviours around the world has fuelled the increase of the fast flow of information and personal information," said Abu Bakar, during his presentation. "Personal data has been described as the 'the oil of the Internet' by the World Economic Forum in 2011. But according to Forrester Research, almost 90 percent of online consumers want the right to control how their personal information is used after it is collected as well as the right 'to be forgotten' if they so wish."
"Data from the Special Eurobarometer 2011 showed that 43 percent of Internet users say they have been asked for more personal information than is necessary," he said. "It is about trust and managing risk, which are major determinants towards the intention to purchase and the purchasing of goods and services, especially online. Trust is of course difficult to gain but easy to lose."
"Data protection is not rocket science; it is about respect and common sense for people's personally identifiable information [PII]," said Abu Bakar. "We need to strike a balance between the legitimate needs of organisations to process personal data and the privacy of individuals. Good data protection is good for all people."
"PII include any data including mobile numbers, e-mail addresses and so forth that can identify an individual," he said, adding that both automatic (digital) and manual (hardcopy) data is covered by the new PDPA. "Once the agreed purpose for the collected data has been met, such as a completed loan with a bank, it must be destroyed. Individuals have the right to access the data that organisations hold and make proven amendments as well."
There are partial and total exemptions within the act, added Abu Bakar. "These include the use of data for crime detection/prevention, tax/duty assessment & collection, and certain journalistic & artistic uses; also exempted are federal and state bodies and agencies."
Symantec's best practices
Symantec director for government and public Sector, Asia South region, Subhendu Sahu said the company has gained significant experience in other parts of the world that already enforce privacy regulations especially in Europe and U.S. in the last two decades. "Companies in Malaysia and this region started asking us for our advice on preparations for such acts from more than a year or so ago. Our solutions can be customised to help monitor, manage and secure PII so that companies put into place reasonable safeguards to comply with PDPA."
"Security safeguards need to take care of present and future threats and these now need to be significantly stronger," said Sahu. "Security and managing information is always an ongoing race he said and an organisation needs to have regular reviews by external security experts, as well as test the organisation's incidence response processes. Smaller organisations such as SMBs (small and medium businesses) could also take advantage of management features, which include mobile device management.
"Symantec's work with the Phonemon Institute found that 88 percent of organisations in the US reported data loss," said Symantec Malaysia's director of System Engineering, Nigel Tan. "Also, about 59 percent of employees leave a company with data, and the average cost of a data breach in US was US$7.2 million. In 2011, we found that the general data breach numbers, which include PII, has increased against 2010. About 232 million identities were exposed in 2011, which means an average of 1.1 million identities exposed per breach. Hackers are now targeting PII in their recent attacks."
"Organisations in Malaysia should start their journey to be ready for the enforcement of PDPA by identifying sensitive data and creating access policies," said Tan. "Secondly, organisations need to confirm where the data is [find all sporadic machines] and so forth. The biggest challenge when I talk with clients is finding and consolidating the data."
Sign up for CIO Asia eNewsletters.