Legal and data protection research writer at TermsFeed.
On this page
- 1. The 7 Principles of the Malaysian PDPA
- 1.1. General Principle
- 1.2. Notice and Choice Principle
- 1.3. Disclosure Principle
- 1.4. Security Principle
- 1.5. Retention Principle
- 1.6. Access Principle
- 2. The 10 Fundamentals of Europe's GDPR
- 2.1. Legal, Fair and Transparent Processing
- 2.2. Limitation Data, Storage, and Purpose
- 2.3. Rights of Data Subjects
- 2.4. Consent
- 2.5. Personal Data Breaches
- 2.6. Privacy by Design
- 2.7. Data Protection Impact Assessment
- 2.8. The Transfer of Data
- 2.9. Data Protection Officer
- 2.10. Training and Awareness
- 3. Major Differences Between the PDPA and the GDPR
- 3.1. Personal Data
- 3.2. The Right to Be Forgotten
- 3.3. Right to Data Portability
- 3.4. Privacy by Design
- 3.5. Data Protection Officers
- 4. Summary
The Malaysia Personal Data Protection Act (PDPA) went into effect on November 15, 2013. It was designed the PDPA to give residents greater control over their personal and sensitive data and how individuals and organizations with whom they do business use it.
In this article, we'll go over the key similarities and differences between Malaysia's PDPA and the European Union's General Data Protection Regulation (GDPR) and how those differences may affect your business.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
The 7 Principles of the Malaysian PDPA
All data users (data controllers) based in Malaysia or that use equipment in Malaysia to process data must comply with the following set of seven PDPA principles:
The General Principle demands that data users refrain from processing personal data unless they've obtained written consent from the data subject (customer/client/website visitor).
After acquiring explicit consent, the only lawful circumstances in which a data user may process personal data is under the following conditions:
- Directly related to your website's activity
- Necessary for the lawful purpose of your website, and
- Limited to the minimums necessary to fulfill your site's purpose
Notice and Choice Principle
The Notice and Choice Principle demands that data users inform data subjects of a broad range of issues related to the data subject's personal information.
You must provide a clear written statement in both English and Malay concerning the following:
- Your intent to collect personal information
- What kind of data you collect (personal, sensitive, both, etc.)
- Why you are collecting the data (i.e., what you intend to do with it)
- With whom you share data
- The right of the data subject to access and rectify personal data
- Whether the data collection is voluntary (i.e., as part of a contract) or is mandatory
- How a data subject may limit the processing of their personal information
- Your contact information
Under the Disclosure Principle, data users are prohibited from disclosing a data subject's personal information under the following conditions:
- To any party other than those agreed upon by both the data user and data subject. In other words, you are forbidden from disclosing data to anyone outside a list of third-parties that you've specifically listed in your notice.
- For any purpose other than what you've specifically stated in your notice
However, you can disclose personal data under the following circumstances:
- Consent from the data subject has previously been acquired
- To help prevent or detect a crime (during a legal action or criminal investigation)
- Law enforcement agencies or the court have required or authorized the disclosure
- You must legally disclose the information to third parties
- Data users have a belief that data subjects would give consent to disclosure if they knew the circumstances and reasons for it
- The disclosure was made in the name of public interest and in keeping with circumstances, which the acting Minister determines
Data users are obligated to take specific steps to protect a data subject's personal information under the PDPA's Security Principle.
Just some of these steps must include protecting personal data from:
- Unauthorized or accidental disclosure
- Unauthorized or accidental destruction during processing
Additionally, your business must put in place a security policy, which details the following:
- Who may access personal data. This must include a registration system to monitor access.
- What steps are taken to make sure personal data is always managed in a confidential manner
- What technical measures currently exist, such as recovery systems and secure storage
- What steps are in place to make sure information is transferred safely
The Retention Principle establishes that companies may only keep personal data for the length of time necessary for a data user to carry out the primary purposes for which a company collected the data. Once personal data is no longer needed for processing purposes, it must be destroyed.
With that said, there aren't any statutory limits placed on the amount of time you can keep personal data. As long as you're actively using that information for the purposes you made public; then time limits don't apply.
However, you must also recall that the personal data you collect is subject to inspection by the PDP. You, therefore, must maintain full and accurate records, including records of deleted data.
Data subjects are given the right to access and correct personal information under the PDPA's Access Principle. Specifically, if data subjects believe their information is incomplete, inaccurate, outdated, or misleading, the data subject may request access.
On the other hand, the PDPA outlines certain circumstances under which a data user can refuse access.
The 10 Fundamentals of Europe's GDPR
Europe's GDPR lays out regulations concerning how companies must process and protect the personal information of data subjects in the European Union.
The following are ten fundamentals that define the GDPR.
Legal, Fair and Transparent Processing
Under the GDPR, companies which process data must do so in a legal, fair, and transparent way. This means that:
- All processing must be done for a legitimate reason
- Companies are required to take responsibility and are held accountable for processing data that is not for legitimate purposes
- Companies must keep data subjects informed about processing activities on their personal information
Limitation Data, Storage, and Purpose
Companies are expected to limit the processing of personal data. Under the GDPR, they must only collect data that is necessary and must not retain data once the purpose for which it was collected has been satisfied.
Rights of Data Subjects
The GDPR gives data subjects a number of rights. For example, they have the right to request information from companies about the precise information that companies have on them and what those companies do with that information. Additionally, data subjects may request corrections to that information.
Moreover, the data subject may formally object to having their data processed, ask for the transfer or deletion of their data, or lodge an official complaint.
Data users must obtain clear and explicit consent from data subjects before processing personal data. That consent must be documented. Additionally, the data subject can withdraw consent at any time.
The best practice way to do this is with a checkbox that users must check to show consent:
When it comes to processing individuals' personal data under the age of 16, companies must obtain the explicit consent of that person's parents before processing the data.
Personal Data Breaches
All companies must keep a Personal Data Breach Register. If there is a data breach, based on the severity of that breach, the data subject and the regulator must be informed within 72-hours once a breach has been identified.
Privacy by Design
Organizations must include technical and organizational mechanisms to protect personal information when designing new processes and systems. In other words, companies must ensure privacy and protection from the very beginning. This is known as Privacy by Design.
Data Protection Impact Assessment
A Data Protection Impact Assessment must occur when implementing any change or starting a new project or developing a new product to estimate the impact of the proposed actions or changes.
The Transfer of Data
Data controllers are obligated to make sure that personal data is protected and that it remains private when being transferred outside the organization to any entity within the same organization or any third-party.
Data Protection Officer
Companies are required to assign a Data Protection Officer (DPOs) if they conduct significant data processing. The Data Protection Officer must aid the company in adhering to all the GDPR's demands.
Training and Awareness
Companies are required to promote awareness among their employees concerning the demands of the GDPR. To do so, they must engage in regular training to make sure their employees are aware of their responsibilities concerning personal data protection.
Major Differences Between the PDPA and the GDPR
As stated at the beginning of this article, many of the governing principles of Europe's GDPR sound similar to those of Malaysia's PDPA. However, data subjects within the European Union are provided greater rights.
Below are the major differences.
Malaysia's PDPA defines personal data only in regard to commercial transactions through which data subjects may be identified. In contrast, the GDPR's categories of personal data are not restricted to commercial transactions only.
The two laws are similar, though, in that both the PDPA and GDPR concentrate on a data subject's "identifiability" or "identification potential" to decide if the data provided constitutes "personal data."
The Right to Be Forgotten
The GDPR provides EU residents with the right to have all of their personal data erased under certain circumstances. For example, if data subjects withdraw consent or if the organization no longer has lawful grounds to process personal data.
Moreover, Article 17 of the GDPR gives data subjects the right to object to the processing of their data and companies must respond to those objections within 30 days.
The PDPA, on the other hand, has no such provisions. The only thing that might compare is that companies in Malaysia can only keep personal data for as long as is necessary to satisfy the purpose for which it was collected. However, there is no time limit to that.
Right to Data Portability
Residents of the EU have the right to ask for their personal data in a machine-readable format. They can then transfer that information to another data controller without compromising its usability or security.
Malaysian data subjects do not enjoy the same rights as the PDPA does not address data portability. The PDPA provides data subjects the right to access their personal information and view it in documentary form. Businesses must also provide data subjects with copies of their data if viewing it in documentary form is not practical.
However, the PDPA doesn't provide for the explicit right of a data subject to transfer their information from one business to another.
Privacy by Design
As noted in the GDPR's ten fundamentals, businesses must take data privacy and protection into account when designing systems and processes. Additionally, companies must take organizational and technical steps to ensure that data protection principles are upheld at all times.
In contrast, the PDPA does not require data users to design their systems or processes with privacy or protection in mind.
Data Protection Officers
DPOs are required to have a full understanding of personal data protection laws under the GDPR. Organizations must give contact details for the DPO to the supervising authority, and they must have sufficient resources made available to them so that they can carry out their duties.
Additionally, Data Protection Officers must report to the highest management within the organizations they work with and must not perform any task that might cause a conflict of interest.
While the PDPA requires DPOs, their responsibilities and need for technical knowledge are not nearly as defined as their European counterparts. Unlike the GDPR, the PDPA does not require businesses to register their DPO with any supervising authority.
Moreover, Malaysia has no law demanding that the DPO must avoid conflicts of interest, report to the highest management, or that businesses must provide their DPOs with all necessary resources to perform their jobs at the highest level.
Key differences between Malaysia's PDPA and Europe's GDPR are found in areas such as:
- Personal data
- The right to be forgotten
- The right to data portability
- Privacy by design
- Data protection officers
Both the Malaysian PDPA and Europe's GDPR are designed to protect their respective residents' privacy and information.
While there are many commonalities between these laws, companies doing business in either region need to understand the nuances of each when operating within them.