From Privacy Suit to EU GDPR: Data Protection Updates from Malaysia – As reported in the Borneo Post

By: Sonny Zulhuda

The beginning of the year saw my interview with the Malaysian daily the Borneo Post that was published on 1st January 2019. This interview was initiated by my colleagues from the consultancy firm Straits Interactive. The report was entitled “Malaysians increasingly aware of risks with data breach.” It can be found in this link.

The article started to to note that Malaysians now are more aware about the risks associated with breaches of their personal data. In fact, we in Malaysia have seen in the past five years, that there is a sharp increase in data privacy civil suits in the local Malaysian courts.

Among the points I highlighted in the interview are as follows:

What are the costs of data breaches?

  • The cost of data breaches can be seen in many areas. In terms of legal liabilities, companies in breach of the Malaysian PDP Act 2010 can be fined up to RM500,000 – for offences such as unlawful sale or unlawful collection of personal data, as well as collection of data without the required certificate of registration.
  • And when a data breach occurs, costs can also be incurred through technical repairs and loss of reputation. Business can also suffer because of bad publicity.
  • Civil suits can also be brought against companies, and these can cost businesses a lot of money. Malaysians are becoming increasingly more aware of the risks associated with breaches of their personal data, and we have seen a sharp increase in data privacy civil suits in the local Malaysian courts in the past five years.

Are we prepared? Here is what I said:

  • Unlike companies in the US and Europe, many companies in the Asean have yet to reach an acceptable level of preparedness. Data protection does not tend to be a part of the business culture, however some industries (banking and finance) are more prepared due to legislation and legal requirements.
  • To bolster the understanding and preparedness of other industries, we need more public awareness, training, and certified professionals in the field of data protection.

What are among the common concerns?

  • One major concern in Malaysia is how much our MyKad (ID cards) details are easily and unnecessarily exposed. Many people needlessly impose the collection or retention of MyKad details before people start business communication or interactions, enter premises, or participate in events. Unfortunately, lots of people are happy to submit these details and this gives the impression that these practices are approved and not an issue.
  • Another problem is direct marketing, as well as unsolicited commercial calls, emails and text messages. While it’s clear individuals have the right to refuse direct marketing, it still regularly happens.

What has been prepared?

  • I highlighted that leading consultant like Straits Interactive plays the role to champion a public-private partnership by establishing alliance with academia, industries and the government. This partnership will ensure Malaysia as a nation moves together and responds to data privacy issues with a common understanding and comprehensive programmes.

Does the European Union GDPR (General Data Protection Regulations) have anything to do with the Malaysians?

  • With the passing and enforcement of the EU General Data Protection Regulation (GDPR) in May 2018, Malaysia needs to gear up for these stronger laws and better enforcement.
  • The GDPR applies to companies who also interact with European citizens, and this requires short-term training programmes and certifications in the field of data protection.
  • A collaboration at the regional level is also timely and necessary. We are heading towards that.

Credit on this Interview to the Straits Interactive and the Borneo Post.

Data Breach a Test to Our Digital Resilience

By: Sonny Zulhuda
DSC_0025
Malaysian public has recently been perturbed by a series of personal data breach one after another. While the investigation is taking place, one can only expect that what has surfaced may only be a tip of an iceberg.
As the country embraces digital economy and aims at a cashless society by 2020, this data security crisis becomes a part of the equation. More digitised information and more synchronised data mean a bigger risk of data breach calamities. As a country, there is no backing out from this equation even though that means we have to learn it hard.
As a consequence, a data breach is not a matter of ‘whether’ but is a matter of ‘when’ it will happen. This requires us to adopt a risk management approach. Failure of managing the risks can be increasingly costly. The problem is, it is too often when we realise there is a data, it may be already too late. The alleged leak and illegal sale of Malaysian telecommunications data are said to have happened years ago. By now, we are already five years too late!
Time is of the essence here. As we start to learn about the breaches that took place, swift actions are warranted. There are few points to consider by all the stakeholders.
Firstly, data users can do the least by keeping the public informed about what is going on.
Even though our PDP law does not oblige data users to notify data subjects about any breach, this is warranted for transparency and trust preservation, and hence their business continuity plan.
Secondly, we should treat this as an issue of national security.
Not only because massive data of the majority of the public is affected, but also because those data come from the telecommunications and financial industries which are deemed among the ten critical national information infrastructures (CNII) as outlined by the Malaysian National Cyber Security Policy (NCSP) 2006. So, data security under this CNII must be given utmost priority. Both public and private sectors must cooperate in dealing with the crises.
Thirdly, it is time to test the mechanism of our law.
These incidents of a personal data breach either maliciously or negligently occurred, will need to be tested against the Personal Data Protection principles enshrined in the Act. The authority needs to speed up the activation of the Personal Data Protection Act (PDPA) 2010 after some “day-nap”. Other agencies need to help in accordance with the statutory powers granted to each of them.

7E3A8212

The year 2017 is notably the beginning of some successful prosecutions under the Act, which is a crucial milestone in itself. On a positive note, we should take this crisis as an opportunity to also prove our legal mechanism. 

On top of that, what we are facing now is something bigger: it is testing our resilience as a nation. The challenge is more than a damage control: it is to deal efficiently with the massive data crisis like what is happening now.

This is not a one-off duty as data security is a process rather than a result. As Vince Lombardi was once famously quoted, it is not so much about how we fall down, but rather on how to raise back. And by “we” I mentioned in this last paragraph, it is you and me and every one of us the individuals to whom the personal data actually belong to.

“Can my lecturer access my personal information?” – And Other Issues of Data Protection at the Higher Learning Institutions 

By: Sonny Zulhuda 

In the past week alone, I spoke about the personal data protection law at two Malaysian public universities; Universiti Sultan Zainal Abidin (UniSZA) Kuala Terengganu and Universiti Malaysia Pahang (UMP) Pekan. While the former was an internal programme, the latter talk was attended by other public universities’representatives who were members of Majlis Tatatertib dan Disiplin Universiti-universiti Awam Malaysia (MATDUM).

In this post, I would like to note some discussions we had on the implementation of the Personal Data Protection Act 2010 at the University environment.

IMG_20170319_095449

The education industry is indeed among those where personal information is highly processed. The data subjects include students (prospective, actual and graduates), university’s employees, as well as any individuals involved in the data processing.

Continue reading

Rolling-out PDP Compliance Program: Issues & Challenges

By: Sonny Zulhuda

My talk this Thursday, 28th May 2015 in Petaling Jaya. More updates soon…

image

Personal Data Protection Act & Information Assurance – at ISACA Evening Talk

By: Sonny Zulhuda

I will be speaking on the above topic this week (Tuesday, 18th February 2014) to  IT Governance professionals affiliated under the ISACA Chapter Malaysia. I was informed at least one hundred people will be attending.

ISACA Feb 2014This will be my first speech on PDPA after the lapse of 3-month grace period set up by the PDP authority in Malaysia. I can foresee the level of enthusiasm from participants is high.

Details are here: http://www.isaca.org/chapters3/Malaysia/Documents/Talk%20-%20PDPA%20-%20Feb%202014%20FINAL.pdf

Here is the home page for the Chapter: http://www.isaca.org/chapters3/Malaysia/Pages/default.aspx

Beyond Personal, Data and Protection: Keynote Address at ISACA Annual Conference 2013

By: Sonny Zulhuda

ImageIn less than three weeks (since I spoke in GIGS2013 Summit), this Big Data concern had had me involved in more direct and personal way. The Malaysian chapter of the Information Systems Audit and Control Association (ISACA) – yes, you’ve heard about their CISA and CISM professional certification, that’s their product – will hold its annual IT Governance, Assurance and Security Conference on 18-19 June 2013 in Kuala Lumpur, Malaysia.

The massive intersection between the Big Data, security issues, compliance as well as data protection legislation had taken me into the epicenter of the complicated development of IT governance: I will be delivering a keynote address of the event with my paper entitled: Beyond “personal”, “data” and “protection” – How the Data Privacy Law Transforms Business Landscape in Malaysia and Beyond. — wow, that is.. long!

Continue reading

Consumers to take control of their Personal Data

My Intro: The following passages were published by the Star in their Sunday Edition (6th January 2013) at pp 23-24. The article is about what Malaysian consumers should know and do in relation to their personal data. It is based on another interview the journalist had with me. For the benefit of the readers, I reproduce some parts of the article in this page. Should you want to read it in full, check the newspaper’s page HERE.

======================================

“Consumers, take control of your personal data”

The Personal Data Protection Act 2010 has come into force, but the public will have to do their part to make it effective.

Credit: The Star Online

Credit: The Star Online

EAGER to win the grand prize, Maria (not her real name) did not hesitate to “drop” her name card at the door for a lucky draw at a company dinner. Weeks later, she found herself inundated with phone calls and text messages offering different services and products.

It is an accepted practice in Malaysia to leave our call cards or personal information at the registration counter of public events. But have you ever wondered what your personal data will be used for later? Or how it will be stored?

This has become so common here that no one thinks twice about the risks and implications, says personal data protection law expert Dr Sonny Zulhuda.

Under the newly enforced Personal Data Protection Act 2010 (PDPA), however, this practice will have to be reviewed, particularly for business entities that use these occasions as an opportunity to build their network of potential customers.

Continue reading

  • November 2019
    M T W T F S S
    « Oct    
     123
    45678910
    11121314151617
    18192021222324
    252627282930  
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,630 other followers