WELCOME TO CHARLES RUSSELL SPEECHLYS.
We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
Otherwise, we'll assume you are OK to continue. Please close this message
After a number of delays we are pleased to report the impending enforcement regime in Malaysia. There is a three month moratorium to enable businesses to get compliant.
In June 2010 the Parliament of Malaysia passed a Personal Data Protection Act (PDPA) with the aim of protecting the personal data of individuals with respect to commercial transactions. The PDPA 2010 is supposed, among other things, to diminish the amount of unsolicited and unwanted spam sent via SMS, most recently prevalent during the Malaysian General Election of May 2013.
From an organisational perspective, the PDPA 2010 has far-reaching impact and affects the manner in which organisations interact with their employees, customers and 3rd party service providers, as well as how they store, handle and process personal data. The seven principles of the Act ensure that the collection and use of personal data must be consented to by the data subject, and steps must be taken to ensure that this personal data is updated, correct and securely stored.
Failure to comply with any of the seven principles of the PDPA 2010 is an offence punishable by a fine of RM300,000 or up to two years imprisonment; in some cases both are applied.
'Personal data' may be defined as any information that relates directly or indirectly to a data subject, who may be identified or identifiable from that information or from that and other information in the possession of a data user. Personal data may take many forms, from name to passport number, telephone number, photograph, fingerprint etc.
A 'data user' is the party using the personal data of that individual, referred to in the Act as the data subject.
There was some considerable delay in the implementation of this Act, but 16 the Malaysian Personal Data Protection Act 2010 will be enforced on 16 August 2013. A first set of subsidiary and supplemental legislation will be released, aimed at illustrating the interpretation and application of the PDPA at the same time. However, the Guidelines and Codes of Practice will not be released on this date.
A three month transition (or sunrise) period will run from 17 August - 14 November 2013 which will allow companies and organisations to develop their strategies and establish the necessary compliance policies. The first phase of the PDPA 2010 will commence on 15 November 2013 enforced by the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi - JPDP).
On 1 January 2014 the JPDP will be rebranded as the Personal Data Protection Commission.
The Personal Data Protection Commission Official Website will be launched by the end of 2013.
There will be 3 subsequent phases of enforcement:
Thanks to our friend and expert advisor in Malaysia, Noriswadi Ismail, for providing us with information upon which we based this article and to our summer student, Helen Siviter, for her research and creativity.
For more information please contact Robert Bond, Partner
T: +44 (0)20 7427 6660