By: Sonny Zulhuda
Contrary to the traditional belief, information is no longer a mere business processing tools. It is now the very asset that turns to become the commodity of the business itself – becoming more powerful and valuable than any other physical assets. And this is particularly obvious in financial and banking industries where the acquisition of personal data and the adoption of information technology (IT) have both transformed the banking industry as well as the associated operational risk management.
The demand to protect personal data in banking industry comes mainly from two factors. Firstly, the consumers are getting increasingly aware of their right to data privacy. The bulk of their data such as personal and family data, financial information, credit history, employment records, or legal matters are now the target of many predators who wish to acquire them for their benefit, ranging from unsolicited direct marketing, loyalty program recruitment, credit card applications, and even for malicious intent such as identity theft and fraud (or “phishing”).
Therefore, banks can no longer take it easy in their handling of customers’ personal data. A poor data management would result in the loss of credibility, reputation and consumers. At the end of the day, consumers would prefer those who are best in handling their data.
Another pressure for data protection comes from the perspective of laws and regulations. Banking regulations had firmly upheld the need to protect customers’ privacy and confidentiality. In addition, the international community has now adopted a new legal regime on personal data protection (PDP). Regional community such as European Union is particularly very firm in ensuring industrial compliance, to the extent that they make it as another trade barrier for any non-EU countries who do not have adequate PDP law. The Asia Pacific Economic Cooperation (APEC) has also pledged that the member countries should adhere to certain regulation on data protection.
In ASEAN region, Malaysia and the Philippines had led the initiatives, while it is learned that Singapore, Thailand and Indonesia are following the suit albeit in different speed and urgency. In short, it is believed that laws on personal data protection will soon reshape the business processes and will rewrite the requirements of risk management and corporate governance in the banking industry.
See: Latest incidents on personal data abuse implicating banking sector
The new Personal Data Protection Act 2010 will seek to achieve certain objectives under the data protection paradigm in Malaysia.
As a new Act, it is logical to expect the presence of persistent confusion within the public and industrial sectors with regards to the impact of the Personal Data Protection Act 2010 in the short and long term consideration.
The new Personal Data Protection Act 2010 is not an exact copy of the UK Data Protection Act 1998. In principles, there are substantive compliance with the 1995 European Union Data Protection Directive. However the adoption and observation of different Third Party transaction and different data standard, (see 1995 European Union Data Protection Directive and the sui generis US safe harbor rules) present primary concern and obstacles for international data players (EU and US companies) having dealings with Malaysia in the light of the 1995 European Union Data Protection Directive and the imperatives of US safe harbor provisions.
Art 25 of EU Data Protection Directive outline that “the transfer to a 3rd party country, of personal data which are undergoing processing, or are intended for processing after transfer, may take place only if the 3rd party country in question ensures an adequate level of protection.
With proper understanding and consultation, it is hope that the Personal Data Protection Act 2010 will close the gap and accelerate Malaysia towards “Legal Appreciation and Transparency” by 2020 along the transformation programming tracks.
Jeong Chun Phuoc
Expert Consultant at a major law firm and a pioneer advocate in Competitive Legal Intelligence(CLI)
and a Reader in Syariah Competitive Legal Intelligence(sCLI)
Thanks for sharing Jeong! I like the idea of associating the PDP law with transparency. That one cannot be over-emphasized.. Therefore we see the UK office combine the PDP law and FOI (Freedom of Information) law within one authority, ie the ICO.