By Sonny Zulhuda
That is it. No more waiting or being complacent.
The Minister of Information, Communications and Culture of Malaysia, Datuk Seri Rais Yatim was reported today (23 Oct 2012) as saying that the crucial Act will be enforced beginning of the year 2013 — that is less than two months from now. The report from The Sun Daily can be viewed here.
And when it is implemented, as prescribed by the Act itself, data users will have three months to prepare to comply with the rules and regulations on personal data that they collect, process or otherwise store. In total, companies as well as individual data users will only have five months to prepare themselves before the Data Protection Commissioner can knock their doors if he wishes to inspect their personal data system and the level of compliance.
Also, it would mean that the consumers, termed as data subjects, would be able to come and check the accuracy of their personal data collected and processed at their bankers, telecommunications providers, or any other services providers that they had contract with.
Who will be implicated?
If you or your company “process” personal data of individuals for “commercial transaction” other than that related to credit rating business; and then process such data in “automated” manner or otherwise non-automated but using a “structured filing system”, then you will be implicated because you are a “DATA USER.” Despite the fact that you are operating as incorporated entity, an individual proprietor or as partners.
However, if your processing activities are not located in Malaysia (such as those personal data you disclose at your Facebook), then those data are not subject to the PDP Act 2010.
Likewise, if you collect data only for your own personal, household or non-commercial activities, then you are out too (Click on the left image to zoom on the chart).
The fact that you as data owner do not process such personal data on your own, but instead get someone else do it for you (such as in an outsourced service), does not exclude you from being a data user under the Act. It will instead add to your obligations some other duty to ensure your outsourcing service provider provides equal protection. This service provider is termed under PDPA 2010 as DATA PROCESSOR.
From the perspective of the Data Processor company/party, they will not be obliged with the same duties as the Data User, but they will be responsible nonetheless to similar obligations through their service agreement with the Data User. And on top of that, the PDP Commissioner is empowered to conduct inspection directly on your data system.
Therefore, either you are a Data User or a Data Processor under definitions of the Act, this enforcement date can be your “make or break” moment.
You can have a copy of the PDP Act 2010 from the Ministry’s website here.
At the time this post note is provided (mid-July 2013), there has not been any official announcement or declaration by the Government on the enforcement of the Personal Data Protection Act 2010, which means, the Act is in status quo, not yet in force.
The Act is now in force! It’s been officially gazetted on 15th November 2013.