By: Sonny Zulhuda
No! We are not talking about how to cure a ransomware attack such as “WannaCry” after it happens. That is not going to happen. Legal compliance is, from the perspective of business continuity and data disaster management, always at the “preventive” side rather than “curative” or “recovery” domain. Just like how technically a data backup is more preventive rather than reactive.
Then, are we saying that complying with Personal Data Protection law is going to prevent incidents like ransomware attack? Not necessarily true. But obviously, by keeping yourself updated about legal requirements pertaining to personal data protection, you will activate a “standby” mode.
Complying with the legal requirements on data protection such as Data Security and Data Retention standards, for example, people in your organisation are made aware that some security measures had to be put in place to protect the personal data system, which often overlaps with other database or information systems in your organisation: payroll system, human resources system, financial system, CRM system, and so on, because in each of those there are personal data of data subjects that you or your organisation process/processes.
That is why, a compliance with PDP law such as the Malaysian Personal Data Protection Act 2010, can be a gateway to better data protection in your organisation from unwanted attacks or other risks to the data integrity and security. In fact, the PDPA 2010 hints that a data due diligence
In fact, the PDPA 2010 hints that a data due diligence such as your data risk management that you conduct in your organisation will not only mitigate the risk to data attack but also will be your “legal defence” in case such attack takes place despite your mitigating measures. This is what transpires from the provisions of the PDPA 2010.
So, the equation is not complicated:
Data due diligence = legal compliance + risk management = legal defence
Good luck! 🙂
By: Sonny Zulhuda
In the week that passed I spoke in one national seminar on Personal Data Protection Act that took place in the The Ritz Carlton Kuala Lumpur, July 21, 2010. The audience came from various industries including banks, regulators, insurance, medical services, investment as well as legal firms.
My session that went between 12.00 -01.00 pm focused on the Rights of Individuals as Data Subjects under the newly-passed Personal Data Protection Act 2010 of Malaysia. Those rights of data subjects were provided in Part Two, division 4, sections 30-44. In short, those rights can be enlisted as follows:
- Right to access
- Right to correct data
- Right to withdraw consent for data processing
- Right on sensitive data
- Right to prevent distress/damage
- Right to prevent direct marketing
The session was ended with discussing some prominent issues that confronted individuals such as issues of workplace monitoring, junk mail/spam, data theft, and pictures taken at public places. One important message (of many) that I discussed with audience was that, in order to achieve better implementation of law, organizations should see and manage it using the perspective of individuals, not merely that of the organisation; because in organisations, their people (employers, employees, business partners) are all data subjects too.
By: Sonny Zulhuda
Understanding data protection principles is crucial to (re)formulate the business processes. For companies and organisations that in any way involve the use and exploitation of personal data of their employees, customers (actual and potential) and business partners, series of actions need to be taken to comply with the legal regime on data protection.
In Malaysia, this is particularly a cause of concern nowadays as the new law on personal data protection clearly requires data users to take certain actions.
Laid in the main body of the law is the prescription of data protection principles from which stemming all the rights, duties and liabilities of each of data user and data subject (Note: ‘data user’ is those who use, collect, process, etc. the personal data that belong to certain individuals. Those individual are called ‘data subject’).
In Personal Data Protection Bill that was recently passed by Malaysian Lower House of Representatives, the principles of personal data protection is laid down in Part II, sections 5-12. Continue reading “Data Protection Principles under PDP Law”