Personal Data Protection Act (PDPA) - Malaysia

Principles of Personal Data Protection Act

The detailed explanation of the seven data protection principles are as follows (PDPA, 2010)

Pointer

General principle

The General principle prohibits the collection of personal data of an entity by a data user without their consent in compliance with legal requirements. The PDPA also forbids the processing of personal data unless it is directly related to the operation of the data subject to a specific reason; it is required for or directly related to that reason, and the data processed in relation to that purpose is not excessive.

Pointer

Disclosure principle

This principle forbids the disclosure, without the consent of the individual, of personal data for any reason other than the purpose for which the data was disclosed at the time of collection or for the purpose directly related to it; and to any party other than a third party of the class notified to the recipient of the data.

Pointer

Security principle

The PDPA imposed responsibilities on the user of the data to take action to prevent personal data from any loss, misuse, modification, unauthorized or unintentional access or disclosure, alteration or destruction during its processing. The data user shall ensure that adequate assurances are issued by the data processor with regard to the technological and organizational security measures regulating the processing of the data and shall take appropriate steps to ensure compliance with those measures.

Pointer

Data integrity principle

Users must act appropriately to ensure that personal data are correct, complete, and not deceptive and held up-to-date, taking into account the purpose for which they were obtained and processed.

Pointer

Retention principle

The data user responsible shall take appropriate steps to ensure that all personal data are destroyed or removed completely if it is no longer needed for the purpose for which it was collected. Personal data must not be kept any longer than is appropriate for the reason for which it was collected to be fulfilled.

Pointer

Notice and choice principle

Through written notice in both the national and English languages, the data owner is expected to inform the individual of certain matters, including the fact that the personal data of the individual was being processed and a summary of the data. The data user must give notice immediately when the data user first requested the personal data of the individual, or when the data user first gathered the personal data of the individual, or when the data user first utilized or disclosed it to a third party for a reason other than the original purpose.

Pointer

Access principle

Provided the right of the person to view and correct his or her own information where it is incorrect, incomplete, misleading or obsolete. The PDPA offers grounds on which the data user may refuse to comply with the individual's request for data access or data correction.

The Trust Challenge

Key obligations in brief

Pointer

The extension of the PDPA to data processors, where direct obligations will be imposed on data processors to comply with the Security Principle of the PDPA.

Pointer

The introduction of mandatory data breach notification obligations for data users, which will require data users to report data breaches within 72 hours.

Pointer

The introduction of a new obligation on data users, where they will be required to appoint data protection officers.

Pointer

The introduction of a new right to data portability for data subjects.

Pointer

The restructuring of the existing mechanism for cross-border transfer of personal data under Section 129 of the PDPA, where data users will generally be allowed to transfer personal data overseas, save and except for jurisdictions that have been specifically blacklisted by the Minister.

The Trust Challenge

Key challenges in brief :

It is recommended that organizations prepare an internal data protection policy for its employees to provide guidance on employees' rights and responsibilities when handling and processing personal data on behalf of the organization.

While not expressly prescribed under the PDPA and its subsidiary regulations, it is recommended that organizations also put in place documentation setting out the organization's policies, measures and procedures to ensure compliance with the Disclosure, Retention and Data Integrity Principles under the PDPA.

It is recommended that organizations prepare guidelines to ensure that there are proper mechanisms in place, and to provide guidance to employees regarding the handling of data access and correction requests from data subjects.

While the PDPA has not mandated data mapping exercises, data mapping exercises are generally considered as a best practice that should be carried out by all data users as it helps data users to list out and understand the life cycle of the personal data that is collected and processed by the data user.

It is recommended that organizations carry out privacy impact assessments before commencing any new business initiative or project that may have an impact on the personal data that is held and processed by the organization, or if there are any major changes to the organization's practices regarding the handling of personal data. Such assessments will assist data users to identify any potential data protection risks and allow data users to develop the relevant controls to mitigate the identified risks.

Win-Win Situation

Solutions

Ardent Privacy’s Solutions relating to the above mentioned challenges:

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key obligations in brief

Pointer

The extension of the PDPA to data processors, where direct obligations will be imposed on data processors to comply with the Security Principle of the PDPA.

Pointer

The introduction of mandatory data breach notification obligations for data users, which will require data users to report data breaches within 72 hours.

Pointer

The introduction of a new obligation on data users, where they will be required to appoint data protection officers.

Pointer

The introduction of a new right to data portability for data subjects.

The Trust Challenge

Key Challenges in brief:

Pointer

Employee Data Protection Policy:- It is recommended that organizations prepare an internal data protection policy for its employees to provide guidance on employees' rights and responsibilities when handling and processing personal data on behalf of the organization.

Pointer

Disclosure, Retention and Data Integrity Policies:- While not expressly prescribed under the PDPA and its subsidiary regulations, it is recommended that organizations also put in place documentation setting out the organization's policies, measures and procedures to ensure compliance with the Disclosure, Retention and Data Integrity Principles under the PDPA

Pointer

Guidelines on Handling Data Access and Correction Requests:- It is recommended that organizations prepare guidelines to ensure that there are proper mechanisms in place, and to provide guidance to employees regarding the handling of data access and correction requests from data subjects.

Pointer

Data Mapping Exercise:- While the PDPA has not mandated data mapping exercises, data mapping exercises are generally considered as a best practice that should be carried out by all data users as it helps data users to list out and understand the life cycle of the personal data that is collected and processed by the data user.

Pointer

Privacy Impact Assessments:- It is recommended that organizations carry out privacy impact assessments before commencing any new business initiative or project that may have an impact on the personal data that is held and processed by the organization, or if there are any major changes to the organization's practices regarding the handling of personal data. Such assessments will assist data users to identify any potential data protection risks and allow data users to develop the relevant controls to mitigate the identified risks.

Win-Win Situation

Solutions

Ardent Privacy’s Solutions relating to the above mentioned challenges:

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party “Privacy Intelligence” (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

“Data Minimization”: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization legal requirements. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets for excess data using Machine Learning, removing unnecessary and irrelevant personal data. Removing this data reduces costs by eliminating operational inefficiencies and ensuring compliance with regulatory mandates.

Pointer

“Right to be Forgotten (RTBF)” with Assured Deletion: With TurtleShield RTBF, businesses can easily comply with the CTDPA 's right to deletion by giving them the ability to delete data on request with recorded validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: The assumption that data only exists in databases and nowhere else is often not reality, as customer data exists in many sources. Using Machine Learning and AI we predict where PII can exist, giving the ability to quickly fulfill data subject requests across the totality of large datasets, improving the speed and completeness of CTDPA request compliance.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us