Half day public-seminar_on_pdpa_2010_-_250711

HALF-DAY PUBLIC SEMINAR ON MALAYSIAN PERSONAL DATA PROTECTION ACT (PDPA) 2010

25 July 2011, Monday, 9.30 am – 12 pmLegal Training Room, Menara SSM @ Sentral

By Noriswadi Ismail

Quotient Consulting

Vignette 1

Harimau Malaya, Malaysian, holds a MalaysianID, passport, driving license, 3 Malaysian bankaccounts, 2 mobile accounts and 5 loyaltymembership cards. His details are alsoregistered in 2 private clinics, 1 governmenthospital and 2 insurance companies. He has 1

hospital and 2 insurance companies. He has 1bank account in London and Hong Kongrespectively. He travels frequently for businessand golfing. He is a director of 3 companies inMalaysia, London and Hong Kong. Also, an avidgolfer of 3 golf clubs (Malaysia, Indonesia andScotland).

Executive Summary

Q: What is PDPA 2010?

Q: Why we need to comply with PDPA 2010?

Q: What are the 7 data protection principles?

Q: Will PDPA 2010 kill my business operations?

Q: To what extend PDPA 2010 affects your business operations?

Q: We are a start-up and a semi medium sized company, howshould we strategise?should we strategise?

Q: When should we start?

Q: Is there any additional compliance cost for this purpose?

Q: How about formality and enforcement?

Q: What’s next and the must-to-do list?

Q: How to ensure such data protection & privacy managementsustainable?

What is PDPA 2010?

::: An Informational privacy legislation

::: 10 Parts (Preliminary, Personal Data Protection Principles,Registration, Data user forum and Code of practice, Rights ofdata subject, Exemption, Personal data Protection Fund,Personal Data Protection Advisory Committee, Appeal Tribunal,Inspection, Complaint and Investigation, Enforcement,Inspection, Complaint and Investigation, Enforcement,Miscellaneous, Savings and Transitional Provisions)

::: 146 Sections

::: Jurisdiction: Malaysia

What is PDPA 2010?

::: Received Royal Assent on 2 June 2010, and gazetted a weeklater

::: Compliance commences: 3 months from the date ofenforcement

::: Application: To commercial transactions only, not applicableto Federal and State Governmentsto Federal and State Governments

::: Cross reference to: Electronic Commerce Act 2006’s definitionon commercial transactions “…any transaction of a commercialnature, whether contractual or not, which includes any mattersrelating to the supply or exchange of goods or services, agency,investments, financing, banking, insurance, but does not includea credit reporting business carried out by a credit reportingagency…”

What is PDPA 2010?

• Oversees and enforces the Laws

• Fund: Personal Data Protection Fund

• An authorised person who processes data on behalf of the data user

Data Processor Regulator*

• A person / legal person who controls / authorises the processing of data

• Individual who is the subject of the personal data

Data UserData Subject

What is PDPA 2010?*Regulator

Data ProtectionCommissionerPersonal Data

Protection Advisory Data User Forum

Minister

Protection Advisory Committee

Appeal Tribunal

What is PDPA 2010?

Question:What about

Question:What about What about

Government Linked Companies (GLCs)?

What about Government to Government’s engagements?

What is PDPA 2010?

Question:

Question:What about

transactions between Question:

What about transborder data flow?

transactions between government and non-

governments?

Why We need to complywith PDPA 2010?

Recognition of privacy (informational) as one of the fundamental human rights

Protection of invaluable data that are sensitive, being commoditised and having the vast potentials to being commoditised

What are the 7 data protection principles?

P1: General Principles – Consent, Lawful Purpose, Necessary, Adequate and Not Excessive

Sections 6(1) – (3)

P2 : Notice and Choice Principle Section 7 (1)

P3: Disclosure Principle Section 8, cross reference to Section 39

to Section 39

P4: Security Principle Section 9(1) & (2)

P5: Retention Principle Section 10

P6: Data Integrity Principle Section 11

P7: Access Principle Section 12

Will PDPA 2010 kill my business operations?

::: Yes, if, your business operations are inconsistent and noncompliance with the PDPA 2010’s 7 data protection principles;

::: Yes, if, your business operations do not have the necessaryframework, control, management and monitoring of the 7 dataprotection principles’ requirements;

::: No, as PDPA 2010 enhances trust, value and reputation ofyour business; and

::: No, as PDPA 2010 seeks to safeguard all of your data

To what extend PDPA 2010 affects your business operations?

Corporate Office (HR, Legal,

Finance, Audit & Administration)

Marketing & Business

Development

Business Partners & Contractors

Local & International engagements

To what extend PDPA 2010 affects your business operations?

Categorisationof data

Documentation(Forms,

Agreements & Policies)

ICT deployment(Data security)

Human capital (skills &

trainings)

We are a start-up and a semi medium sized company, how should we strategise?

Partial Outsourcing

Controls & Systems

Planning & Execution

Back-to-BackArrangement & Execution

Adequacy

Route & Execution

We are a start-up and a semi medium sized company, how should we strategise?

Resources & Skills

Culture & Awareness

Limitations

When should we start?

Assumption 1 If the date of enforcement is within Quarter 2 of 2012, it’s recommended to start the planning & execution by Quarter 4 of 2011 – Quarter 1 of 2012

Assumption 2 If the date of enforcement is within Quarter 1 of 2012, it’s

within Quarter 1 of 2012, it’s recommended to start the planning & execution NOW

Key Assumption The proposed Malaysian Data Protection Commissioner will be established in Quarter 1 of 2012

Vignette 2

Keranamu is a Government Consultant whoadvises on strategic acquisition of certainstakes in Company 76, a public listedcompany, incorporated in Hong Kong. Theproposed acquisition is channeled through aleading Government Investment arm.

leading Government Investment arm.Company 76 appoints an European-basedconsultant to act on their behalf in thenegotiations.

Is there any additional compliance cost for this purpose?

::: Yes, subject to the budget, resourceplanning & business plans

::: No, if it has been anticipated

How about formality and enforcement?

Registration of Data User – Certificate

(Renewal, Revocation & Surrender)

Notification & Access Request Enforcement Notice

Report, complaint and investigation by

Commissioner

Power of investigation,

search & seizure with warrant

Power of arrest

Access Request

Inspection of Personal Data

System

Variation or cancellation of

Enforcement Notice

Enforcement Notice Power of arrest

Prosecution

How about formality and enforcement?

Register

Transfer of personal data to places Compounding of

offences

Offences by body corporate

Jurisdiction:Sessions Court

Protection of Informers

data to places outside Malaysia

Unlawful collecting of personal data

Abetment and attempt punishable

as offences

offences Informers

Protection against suit and legal proceedings

Vignette 3

Truly Asia Travels & Tours has been appointedby some governmental agencies and privatecompanies as their exclusive travel agent. Theterms of reference include managing suchflight, hotel, travel itinerary and related

flight, hotel, travel itinerary and relatedbookings. The amount of data processing ofdata subjects, transfers and sharing are doneglobally.

What’s next and the to-do-list?

::: Strategic planning

::: Resource planning

::: Dissemination planning

What’s next and the to-do-list?::: Strategic planning

Board Leadership DPP as part and parcel of organisation/company’s Key Performance Indicators (KPIs)

Senior Management Driving DPP across the whole

Senior Management Driving DPP across the whole spectrum of organisation/company

Managers &Working Team

Overseeing & monitoring the required affected portfolios thatintersect with PDPA 2010

What’s next and the to-do-list?::: Resource Planning

Portfolio & Reporting creation/structure

Subject to the setting of the Corporate Office’s structure

Skills & knowledge enhancement Training, Consultation & Certification

Certification

What’s next and the to-do-list?::: Dissemination Planning

Data Protection & Privacy Campaign

Across the organisation / company

World’s Data Protection Day Event

28th January (of the year)

How to ensure such data protection & privacy management sustainable?

Monitored

Culture

Monitored compliance, controls and execution

Vignette 4

Hospitals A1, A2 & A3 are governmenthospitals. These hospitals deal with patientswho mostly consist the public and engage withlocal and international consultants.

local and international consultants.

Vignette 5

Universities B1, B2 & B3 are publicuniversities. These universities engage withlocal and international students, consultants,international academics and universities

international academics and universitiesglobally.

THANK YOU

London. Kuala Lumpur. JakartaLondon. Kuala Lumpur. Jakarta

Data Diagnosis | Privacy Impact Assessment | Data Protection & Privacy Strategy

Training | Data Protection & Privacy Certification | Public & Private Consultations

<noriswadi@googlemail.com>

Half day public-seminar_on_pdpa_2010_-_250711

Economy & Finance

Linked In Half Day Ss

Designing for Change Half Day

Day camp half day

Public Law Outline - 1st half

Half-Day Professional Development

250K in 2015 Half Day

Half-day Conference on

DAY TOURS HALF DAY TOURS - Kwathlano

Senior Academic Half Day

HADDONFIELD PUBLIC SCHOOLS. This Evening’s Agenda A Day in the Life of Kindergarten Video Kindergarten Overview Explanation of question cards Times (full/half-day)

HALF DAY CONFERENCE - UK Property Forums

Half day public seminar on pdpa 2010 - 250711

Canopy Half Day Training[1]

MASTER CATALOG...Live Training – We Offer virtual, half-day, full day, 5 day boot camp via zoom video conferencing Instructor Led – Workshop with Instructor Led training. Public,

Accidental Techies Half Day Session

Priority Full-day Prekindergarten and Expanded Half-day ... - P-12 … · Web viewThe purpose of the Priority Full-day Prekindergarten and Expanded Half-day Prekindergarten Grant

o Winning Presentation Skills: Public Speaking With ...corporatecommunicationexperts.com.au/wp-content/... · This half day workshop is designed to take your public speaking and presentation

DAY TOURS HALF DAY TOURS - savetcon.co.za

AngularJS Half Day Recap

Half Day New Delhi Sightseeing