This article first appeared in Digital Edge, The Edge Malaysia Weekly on November 30, 2020 - December 6, 2020
This year has seen an unprecedented acceleration of digital transformation efforts, as businesses grasp at any sort of technology to stay afloat in what has generally been a miserable 2020.
In the rush to digitally transform, companies have taken to transferring untold amounts of data — a large chunk considered to be personally identifiable — to the cloud. This raises questions about their adherence to the Personal Data Protection Act 2010, the flagship legislation governing the collection, use and storage of personal data.
In recent months, Singapore’s Parliament proposed several key amendments to its own Personal Data Protection Act 2012. These amendments included a reporting requirement for data breaches, in addition to developing a tiered fine system that would increase proportionately relative to the offending company’s annual turnover in Singapore.
Digital Edge takes a look at the state of Malaysia’s own Personal Data Protection Act 2010 (PDPA).
The PDPA needs a reporting mandate to build greater accountability into Malaysia’s burgeoning data economy, says Sonia Ong, partner at the IT and technology practice of Wong Partners. The law firm is a member of Baker McKenzie International.
“As things stand, the PDPA does not include a mandatory data breach reporting regime, either to regulators or to affected users,” Ong tells Digital Edge.
Earlier this year, the Data Protection Commission released a public consultation paper, with a lengthy list of proposed amendments designed to build more accountability and bite into the PDPA. Unfortunately, the rapid onset of the pandemic put paid to those plans, and the public consultation process has been on the backburner since earlier this year.
“While there are quite a number of proposed amendments to the PDPA, I believe the two most crucial amendments are the reporting requirement, in addition to what is referred to as ‘privacy by design’.
“This is a proposed amendment aimed at creating a culture of appreciation of data privacy in all aspects of a business’ practices. It is very much a preventive measure, meant to minimise the risks of data breaches to begin with,” she says.
Data privacy does not track particularly well in Malaysia because Malaysians, generally speaking, are not as vocal as their Western counterparts about civil liberties.
“There is definitely a need to build more awareness about the importance of data privacy in Malaysia,” says Vernon Chua, CEO of enterprise data analytics start-up Innergia Labs Sdn Bhd.
“I wish more people realised that the seemingly innocuous act of receiving unsolicited phone calls from companies most likely amounts to a violation of one’s personal data.”
Chua believes that, unless more people in Malaysia speak up about their right and reasonable expectation to data privacy, enforcement is going to be a challenge simply because there would be so few who would make a complaint in the first place.
When it comes to businesses, Chua advises leaders to adopt a data-centric version of the classical “golden rule”. “I would advise businesses to treat the data of others with the same respect as you would have others treat your own personal data.
“In addition, I would call on businesses, especially start-ups, to take some time to understand the provisions of the PDPA in Malaysia. There are already quite a lot of resources online that help simplify the law. As long as you adhere to the main principles laid out in the PDPA, you will be reasonably well-insulated from privacy risks.”
Finally, start-ups should periodically reevaluate their data capture, usage and storage protocols, while keeping in mind who in the company has access to such records.
“If you’re a start-up with just three founders, it stands to reason that all of you need to use the personal data. But as you expand and hire employees, be mindful of who it is you grant access to and put appropriate safeguards in place to minimise the risk of data breaches.”
Save by subscribing to us for your print and/or digital copy.
P/S: The Edge is also available on Apple's App Store and Android's Google Play.