Personal Data Governance from A Cyber Security Perspective

By: Sonny Zulhuda

Data privacy and data security are two sides of a coin – unseparable. Despite efforts by experts to explain this, yet the misunderstanding that they defeat each other is still widely looming.  In this APAC Cyber Security Summit held in on 3rd June 2016 in Kuala Lumpur and attended by more than two-hundred regional participants, I took another attempt to explain this: How protecting one’s data privacy can contribute to a larger information security practices. Not coincidentally, one can see it from the other side: In order to afford maximum protection of one’s privacy, efforts must be taken to secure his data. Thus, data security is part of a bigger personal data privacy protection. Confused? Don’t be.

APAC Cyber Summit 2016_1The truth is, personal data management does include protecting its confidentiality, integrity and availablity. And doing so, it means one must ensure the privacy and security of personal data goes side by side.

In a report released by the PriceWaterhouseCoopers (PWC) in 2016 on Personal Data Use Governance – Mitigate Risk while Unlocking Business Value, there is a sfift (or more sutiably, an expansion) of personal data risks landscape from merely a security and regulatory issue, to an intersection of issues of ethical, regulatory, litigation, security and serivce quality.

At this Conference, I highlighted the latest status and implementation of the Malaysian Personal Data Protection Act 2010 and tried to show how the new regulatory framework reshape the landscape of information security in Malaysia.

The points can be summarised as follows:

  1. Perspective #1. PDPA 2010 creates data management principles
  2. Perspective #2. PDPA 2010 spells out the duties throughout data lifecycle
  3. Perspective #3. PDPA 2010 identifies data risks
  4. Perspective #4. PDPA 2010 creates new data offences
  5. Perspective #5. PDPA 2010 creates duty of data due diligence
Advertisements

Privacy – How to be Assured in Cyberspace

By: Sonny Zulhuda

This year’s ISACA Malaysia’s Conference is renamed a CyberSecurity, IT Assurance & Governance (CIAG) Conference 2016, held on 30th May 2016, in Le Méridien hotel, Kuala Lumpur. My friends and colleagues in ISACA Malaysia are kind enough to invite me for the fourth time in their annual national conference. Last year, I was invited to speak about the pros and cons of Internet of Things (IoT) in the form of a debate, together with a representative from the Malaysian Digital Economy Corporation (MDec).

 

In this year’s edition, I was seated in a panel discussion to speak about the protection (or  Assurance) of privacy in the cyberspace. With me as panelists are Mr. Retnendran Subramaniam CISA, CRISC (former ISACA Malaysia chairman) and Mr. Victor Lo, the Head of Information Security, InfoTech Division, MDeC. The panel was moderated by Mr. Jason Yuen from the Ernst & Young Malaysia. Continue reading

Making sense of Dark Data

By: Sonny Zulhuda

BIG-DATAWhile big data is by now a commonly heard term, dark data is not. Some participants in the recently-held Singapore Symposium whispered to me that they had never heard about the term – so you can say they were in dark about Dark Data.

The term is new to me as well! Except that I have had a little earlier opportunity than those guys to read about it and to finally make sense of it.

It all rooted from the fact that we have had an abundance of data around us, and how much those abundant data are capable of being sourced as information. Yes, it is about Big Data. As we know, Big Data is about quantifying everything possible to be a data. A person’s identity is no longer depending on what is printed on documents (ID, passport, certificates) about him. A person is now identifiable from his mumbling words, his movement, his location, his mood and even the pattern of what he will do every day. All those data are being quantified and measured due to their availability from myriads of media, devices, and interactions (both human and artificial). What makes it possible? You name it: Mobile gadgets, Social media, CCTVs and commercial transactions you have been making, to name a few.

In organisational life, the same is happening. More and more data are collected and stored by organisations, manually and electronically. Data of employees (and their mumbling words, movements, location, mood, etc.), of visitors, of business transactions, of internal meetings, of vendor’s works, of all reports, records and repositories, etc. are increasingly collected, stored…. but not necessarily used. In many occasions those data are no longer usable after their first collection, and yet they still fill up the organisation’s storage (recent research indicates that these unusable data may stack up to 70% of oganisations’ data).

Those are dark data. Untapped, untagged and sometimes unknown data.

Now is this: the fact that they remain unused does not mean they are valueless. You can run this simple test: Should you dump all these data to your competitor or any third party, would there be a loss to suffer? What about a competitive loss, breach of secrets, infringement of privacy, reputation loss, legal liability? If yes, then such Dark Data should be urgently managed.

That is the first message that I delivered in my 1-hour talk in Singapore yesterday.

Data Protection in the Era of Big Data, the Internet of Things (IoT) & Cloud Computing

By: Sonny Zulhuda

ALB Conference 2015This is the second such conference being organised by ALB/Thomson Reuters on Data Protection following the successful event a year ago. I spoke in a panel session last year, and will be speaking again this time. The conference will be on Thursday, 7th May 2015 at the JW Marriott Kuala Lumpur.

Keynotes will be delivered by Trevor Hughes, President of the International Association of Privacy Professionals (IAPP); Dr. Zainal Abidin Sait, Deputy Director-General of the Personal Data Protection Malaysia Department (PDPD); and Prof. Abu Bakar Munir, who was the Data Protection Consultant to the Malaysian Government.

My panel session is the one slotted at 16:10, focusing on “Data protection in the era of Big Data, the Internet of Things (IoT) & cloud computing,” covering the Jurisdiction and marketplace: Asia Pacific, EU and US.

Continue reading

PDP Law Compliance for Educational Institution

By: Sonny Zulhuda

Educational institutions -universities, colleges, schools, etc.- are among those who are regulated by the Personal Data Protection Act (PDPA) 2010. The data subjects include: students (obviously the main object here), staffs or employees, vendors, alumni, sponsors, as well as those applicants who have yet join the universities/schools.

The amount of personal data are potentially bulky: personal details, medical records, financial and scholarship records, academic records, student societies records, disciplinary records and even post-study information about the students. Given this situation, people who deal with students’ data in the educational institutions would need to ensure their handling of personal data is in line with the demands of the Act.

In introducing the subject matter to the community in the University, I will be speaking in this following workshop, together with my friend Noriswadi Ismail from Quotient Consulting Sdn Bhd and PDP Academy LLP, and Dr. Federico Feretti from Brunel Law School, London, UK.

Banner PDP Workshop AIKOL 28052014 (4)

Personal Data Protection a Key Concern for Human Resources (HR) Professional

By: Sonny Zulhuda

More personally identifiable information (PII) is being captured in the commercial activities across sectors and industries. The workplace today has become a battleground for protecting employees’ valuable personal data that includes their personal records, financial status, medical information as well as the professional data relating to their jobs.

Image

As a result, it is not too much to say that managing human resource HR) data has now become a critical success factor for organisations both internally and externally. Internally, because an effective and sustainable personal data management supports the works of everyone in the organization who relies on those data. Externally, because personal data has now become a crucial issue closely linked with managing trust and competitiveness while trying to grab the best human capital in the industry.

Given this, a Human Resource (HR) manager plays a central role to ensure that personal data of the employees and anyone around them would remain as assets and not turn out as liabilities for the commercial organizations. And for Malaysian employers, dealing with personal data of their employees, customers as well as their service providers has transformed from largely a business and operational issue to a legal and compliance concern.

With the enforcement of the Personal Data Protection (PDP) Act 2010 (Act 709), the operational landscape for human resource management has tremendously changed. The Act tasks the employers with a series of obligations relating to the collection, use, disclosure and retention of the personal data in their control, including data of employees, job applicants, former workers, outsourced service providers, vendors and customers.

Even though measures from industrial laws and guidelines are abundant and in place, employers are still in the dark about the multi-dimensional effect of the PDP Act 2010 on the employment relationship. Many practical issues arose in the workplace and throughout the employment lifecycle. These questions would likely arise:

  • Who are implicated by the PDP Act 2010?
  • What are the seven data protection principles in the Act and how do I (as an HR manager) implement them in my scope of work? Continue reading

Do-Not-Call Registry (DNCR) to Protect Personal Data?

By: Sonny Zulhuda

In March, I featured in The Sunday Star (9/3/2014) reporting on the need to establish a “Do not call registry” to protect people’s personal information. The main issue discussed was to scrutinize an initiative to have a DNCR and its operational and legal challenges. The full report can be traced here.

Image

 

The question that was posed to me was: (1) How good is the idea of DNCR for Malaysian consumers? AND (2) Do you foresee any issues that might arise when they  implement this?

Here are my comments:

  • The PDPA 2010, unlike Singapore’s law, does neither provide nor mandate specifically about Do Not Call (DNC) registry.
  • Nevertheless, DNC registry is an advanced step towards protecting individuals personal data, therefore it is highly commendable. It does require a carefully-structured procedure and rules. Continue reading
  • February 2019
    M T W T F S S
    « Jan    
     123
    45678910
    11121314151617
    18192021222324
    25262728  
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,613 other followers