Is personal data The new “Oil”?
Data is power. And we have all become increasingly aware of the track of data we leave behind when we go online or make phone calls and send text messages, even when we do our online banking. To guarantee our safety and our privacy the Government of Malaysia has enforced the Personal Data Protection Act (PDPA).
What is PDPA? The following are 7 Data Protection principles that data users as well as individuals need to understand.
1. General Principle. A data user shall not process personal data about an individual unless the individual has given his consent to the processing of the data.
2. Notice and Choice Principle. A data user shall inform an individual by written notice that his personal data is being processed or on behalf of the individual; and shall provide a description of that personal data including the information about the purpose of data usage, the individual’s right to request access or correction of the personal data and how to contact the data user with any inquiries or complaints regarding the personal data.
3. Disclosure Principle. No personal data shall be disclosed without the consent of the individual.
4. Security Principle. The data user shall take practical steps to safeguard the personal data from any loss, misuse, modification, unauthorized or accidental disclosure, alteration or destruction.
5. Retention Principle. The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose.
6. Data Integrity Principle. A data user shall take responsible steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date.
7. Access Principle. An individual shall be given access to his personal data held by a data user and be able to correct it.
A holistic approach to achieve compliance with the act is necessary to safeguard your organization from any reprimand under the Act. A few general rules of thumb to apply:
1. Companies don’t ‘own’ their customers’ personal data: they do.
2. Always obtain permission to make use of the personal data collected and only ask for the data that is required to make the service provided and requested, work efficiently or that may deliver more value to the customer.
3. Be honest and transparent about how the personal data will be used for the services being provided and requested, and this should be explained when the data is being collected.
The Act has far reaching implications and affects entire organizations, from business processes right down to the individuals handling the personal data. However, this Act also provides value to both companies as well as customers as the data protection principles make companies more aware of corporate responsibilities and increases customer engagement and confidence. Once the company is able to show compliance with the Act, it will only serve to strengthen the corporation’s reputation and integrity, as well as overall brand image. In other words, Data Privacy establishes trust - and trust is good for business.
The AMCHAM ITTIP committee is working with all stakeholders to facilitate the implementation of the Act. As such AMCHAM will be organizing a Personal Data Protection Act briefing on Tuesday, March 19th 2013.