KUALA LUMPUR, Nov 15 — The much awaited Personal Data Protection Act (PDPA) 2010 has finally been gazetted and will take effect today, with businesses given three months to comply with the new law and violation will result in fine, or imprisonment, or both.
KL Bar Information Technology Committee chairman Foong Cheng Leong confirmed that the law will be effective today, with Abu Hassan Ismail appointed the Personal Data Protection commissioner.
“The law introduced seven principles, in these seven principles, you would need to, for example get consent if you possess any personal data, name, IC, address, pictures, email and phone numbers.
“Once you get the personal data, you need to give a written notification in BM and English and make sure it’s safe and give it to the relevant parties,” he told The Malay Mail Online when contacted.
Foong, who is also the member of the Malaysian Bar Intellectual Property Committee, also said that although businesses are given three months to comply, it would be a challenge to those which have not begun putting their houses in order.
“I think [businesses] are hit quite hard especially those not doing anything since 2009 because the law was introduced since 2009, but I know quite a bit of companies which have started to comply with the law since 2009.
“Most companies would need six months to complete the exercise, so those who have not done anything, need to move very quickly.
“For consumers, expect less phone calls, less SMSes and basically receiving any tele-marketing materials,” he said.
Foong noted however, that the Malaysian government is exempted from this law.
The PDPA also introduced four new subsidiary legislations, including the registration of data user and class of data users.
Businesses that are considered data users including banking and financial institutions, communications service providers, insurance companies, transportation, and utilities, will now have to register with the commissioner.
He also said that data subject, meaning individuals, would be able to request access to the type of personal data being processed.
“The law provides that there will be no transfer of data outside Malaysia, unless you get consent, or the country or jurisdiction you want to transfer data to is included in the list by the commissioner [which has yet to be released],” he said.
The law stipulates that consent for personal data processing should be required explicitly it has to be expressed, rather than implied or assumed. The organiser will also need to justify the reason they need the information they are asking for.
Under the law, consumers have the right to access, correct data, prevent damage or distress, withdraw from data processing, prevent direct marketing and bring complaint on data abuses to PDP commissioners.
Data users meanwhile, are obligated to provide the necessary mechanisms that will facilitate data subjects to exercise these rights.
The provisions also allows consumers to withdraw consent to personal data. If the data user continue to process the personal data, it will be liable to a fine of up to RM100,000 or a maximum of one-year jail, or both.
The move comes almost one year after the act was scheduled to take effect on January 1, 2013, but delayed due to legal formalities. The bill was first drafted in 2001 and was originally expected to be implemented early-2010.
The law was initially scheduled to be passed August 16 this year, with businesses using personal user data required to register themselves with the Personal Data Protection Department of Malaysia by November 15, 2013.