News

Businesses in the dark over the PDPA

February 2, 2014  |  By The Star

PETALING JAYA: As a wedding planner, Marcus Tan has a collection of pictures and videos of his clients’ weddings. With the enforcement of the Personal Data Protection Act, he is worried that he may be breaking the law by keeping them.

“In essence, my understanding of how the Act applies to me is that I am not supposed to keep or be found having any copy of the personal data of my clientele, without their consent.

“I deal with a lot of contractors and couples, and this involves exchanging not just contact numbers and emails, but also pictures and videos of wedding events, which by right, belong to the couples or the people who captured them in the first place. But I am not sure if the Act applies in this context,” he said.

Tan is not alone. There are many people still in the dark about the Act even though it was passed in 2010 and has been in force since last November.

Malaysia Mobile Content Provider Association president Johary Mustapha said many workshops and courses had been held over the Act but they were still not sure of its details.

“At the same time, many are just waiting until the last minute to register and comply with the Act,” he said, adding that the Personal Data Protection Department would have to take tough action against those who did not comply with the PDPA.

Lawyer Kuok Yew Chen, who is a partner at Christopher & Lee Ong, one of many law firms providing legal consultancy over the PDPA, believes that many companies already have some sort of privacy policy in place.

“Generally, the multinationals would already have global privacy policies and so they would simply need to adapt these to meet the requirements of Malaysia’s PDPA. It is, perhaps, the small- and medium-enterprises that would be least prepared, given that not many would have internal policies or procedures on privacy and protection of personal data,” said Kuok.

“Given the very short remainder of three months, companies should immediately undertake a review of their existing policies and procedures to ensure they comply with the Act,” he said.

“Companies which fall within the 11 categories of data users identified by the PDPD, should also ensure they register before Feb 15.”

Managing director (SEA region) at security solution company Trend Micro Inc, Goh Chee Hoh agrees that businesses that have been delaying compliance will have to move quickly.

“The biggest challenge for businesses in regards to PDPA is that they have to change the way they handle customers’ personal data. We believe that under the PDPA, the most challenging principle they have to adhere to is the Security Principle where data users shall, when processing personal data, take practical steps to protect the personal data from any loss or misuse.

“This is because businesses have to use effective security measures to protect the personal data from being disclosed to an unauthorised party unwillingly.”

It is not easy now for businesses to equip themselves with the proper tools to help them to secure their customers’ personal data because people today are using a diverse set of mobile devices, operating systems and consumer apps to handle sensitive data.

“This increases the risk of data loss as it will only take one slip-up for the data to fall into the wrong hands,” he said.

However, Goh is confident that the enforcement of PDPA would see a reduction in data abuse. “All data users are now responsible by law to safeguard and prevent personal data from being abused,” he said. “We can be assured the personal information we have entrusted to a third party is now protected under the Act.”