Date of Enforcement and Registration of Data Users (Christopher & Lee Ong)
- The Personal Data Protection Department of Malaysia (“PDPD”) has intimated that the Personal Data Protection Act 2010 (“PDPA”) will come into force on 16 August 2013. Once the PDPA comes into force, there will be a 3 month sunrise period to comply with the PDPA.
- All data users will need to register themselves with the PDPD by 15 November 2013. The PDPD has verbally indicated that data users from the following industries, in particular, must register:
- banking and financial institutions
- hospitality and tourism
- real estate/property development
- direct selling/marketing
- services (e.g. legal, accountancy, business consulting, engineering, architecture, employment agencies, transportation)
- retail and wholesale
- Whilst various industries such as the Information Technology (IT) industry have not been specifically identified as industries requiring registration in this first phase, the PDPD confirmed that the PDPA applies to all data users in every industry. Registration is therefore still mandatory for data users in industries which are not specified above. The position taken by the PDPD is consistent with the provisions of the PDPA, which requires all data users to register.
- Most, if not all, companies will be deemed data users given the broad definition under the PDPA.
- The PDPD has indicated that registration for data users will commence on 16 August 2013. Details on the registration process and procedures will be released in due course.
Phases of Implementation and Guidance on PDPA
- The PDPD has indicated that the PDPA will be implemented in 3 stages:
- 1st phase - the PDPD will focus on registration of data users and creating awareness;
- 2nd phase - the PDPD’s enforcement team will carry out inspections for compliance; and
- 3rd phase – the PDPD will undertake audits and commence prosecution for non-compliance.
- The PDPD expects to fully implement the PDPA by January 2014, with a view to converting the PDPD into a full-fledged Personal Data Protection Commission.
- An official website will be launched soon, setting out details of the PDPD and the PDPA.
- The first set of subsidiary legislation, which seeks to explain the interpretation and application of the PDPA, will be released on 16 August 2013.
- The PDPD will not, however, issue guidelines or codes of practice prior to the implementation of the PDPA.
The main objectives of the PDPA is to regulate the processing of personal data by data users in commercial transactions, and to safeguard the interests of data subjects. As the PDPA will come in to force soon, and given the broad definition of “data user”, companies should begin reviewing their policies, processes, contractual rights and obligations as well as standard forms and notices which relate to processing of personal data in order to ensure they are in compliance with the PDPA. The consequences for breaching the PDPA are severe. Aside from the negative publicity, penalties for non-compliance with the PDPA include fines for companies and/or fines and imprisonment for directors and officers of the company.
(1) Kuok Yew Chen, Partner of Christopher & Lee Ong
(2) Edwin Lee Yong Cieh, Associate of Christopher & Lee Ong