Privacy Impact Assessment (PIA) – In the Light of the Data Protection Law in Malaysia

By: Sonny Zulhuda

ImageLast time In May ’12, I was invited by the Federation of Public Listed Companies (FPLC) and the Malaysian Institute of Corporate Governance (MICG) to speak in their National Conference on IT Governance, Data Protection and Cyber Security.

I chose to speak about the importance of the Privacy Impact Assessment (PIA) as an implementing tool for complying with the data management rules and obligations under the law. The exact title of my presentation was “Privacy Impact Assessment for a Better Corporate Governance: The New Legal Landscape in Managing Corporate Data Assets.”

In fact, this was the first time I spoke about it. I just felt that people especially the corporate citizens need to be told in a more practical way on why and how they should comply with the laws on personal data management, i.e. the Personal Data Protection Act 2010 as far as Malaysia is concerned.

The PDPA itself is, of course, silent about this PIA. But that does not mean having or executing a PIA would be useless. PIA is indeed a very helpful organisational tool to ensure compliance with the law on data protection. Malaysian law is not excepted.

Just, what is PIA? PIA is an exercise where an organisation addresses series of accruing (potential or actual) privacy-related issues and concerns in relation to certain practices or activities in which that organisation is involved.

It is a series of practical sessions that aims not only at identifying the potential privacy concerns, but also at finding out solutions or alternative action. In relation to the PDP law, PIA is a helpful tool for data users (“data controllers”) to acknowledge possible breaches to the data protection rules and to reach at compliance.

Before this, we may have heard frequently about some other tools used by organisation in relation to personal data protection, such as “Compliance checklist”; “Data Protection Audit”; “Information Security Assurance” and so on and so forth. But those tools cannot precisely replace the PIA for their having narrower scope or too focused on certain aspects than others under the PIA.

PIA is more than just audit and compliance checklist. It covers a whole data life-cycle process, from planning, strategizing to execution. It is a part of a system of incentives, sanctions and review, and should be embedded in project workflows or quality assurance processes.

PIA serves some objectives, among others to expose and mitigate privacy risks; to avoid adverse publicity; to save money; develop an organisational culture sensitive to privacy; to build trust and last bot not least, to assist with legal compliance. In Malaysia, this legal compliance does not only target PDP Act 2010, but also other relevant acts such as the Companies Act 1965.

In the Conference I mentioned several scenarios where PIA would be helpful, among others:

Where your organisation outlines new strategic plan about launching a new product/service, question arises whether you should use the existing customers database to promote those new product/services.

When the boardroom is to decide about the use and installation of surveillance measures in the workplace such as installing CCTV or Internet traffic monitoring.

When your company decides an all-round online payment services…

When your organisation plans to digitise all critical corporate documents including employees personal information…

What can be said as a take-away for the participants is, with an effective PIA, a person or organisation would be able to:

APPRECIATE the project’s privacy impacts;
–from the perspectives of all stakeholders (including the customers);
–Looking at the acceptability of the project;

APPEAL for any alternatives;
–For a less privacy-invasive
–Minimize the negative impacts on privacy;

ASSESS ways to lessen negative impacts on privacy;
–where negative impacts on privacy are unavoidable, clarify the business need that justifies them; and
–prepare a proper documentation and publication of the outcomes

ANTICIPATE the legal requirements, gaps and possible ramifications.

With such a session in the Conference, I could not over-emphasise the importance of having PIA for any organisation to successfully handle their data assets. Full stop.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s