This document discusses the Personal Data Protection Act 2010 of Malaysia and the impact of the EU General Data Protection Regulation (GDPR) on Malaysian organizations. It provides an overview of key concepts around personal data protection such as the definition of personal and sensitive data. It also summarizes the differences between the PDPA and GDPR, noting requirements of the GDPR like mandatory breach notification. The document outlines MyCEB's personal data protection framework and an action plan for MyCEB to implement stages of compliance with the GDPR.
1. Malaysia: Personal
Data Protection Act
(PDPA) 2010
Hairul Hafiz B Hasbullah
Data Protection (Part 5)
Impact of EU General Data
Protection Regulation on MyCEB
2. OBJECTIVE
• Refresher
• The key difference between EU General Data
Protection Regulation (GDPR) and PDPA 2010
• The Impact the GDPR has on Malaysia
Organisations ( MyCEB)
• MyCEB Personal Data Protection framework
3. REFRESHER
What is Personal Data
Information about an individual that
is recorded in any form
Types of Data
Data Subject/ User/Processor
4. TYPES OF PERSONAL DATA ?
• Home address
• Home telephone
number
• Age, date of birth,
gender
• Blood type
• Ethnicity, nation of
origin, colour of skin
• Religious beliefs
• Health care/medical
history
• Marital status
• Identifying numbers
(NRIC)
• Credit card numbers
• Criminal records,
fingerprints
• Curriculum vitae
• Educational history
• Financial history
• Employment information
• Exact salary
5. WHAT IS SENSITIVE DATA?
• the physical or mental health of a data subject
• his political opinions
• his religious beliefs
• the commission by him of any offence; or
• any other personal data determined by the
Minister
Note : can only be processed under specific circumstances set out in PDPA
(including explicit consent by data subject)
Any personal data consisting:
6. REFRESHER
What is the 7 Principles?
1 General
2 Notice & Choice
3 Disclosure
4 Security
5 Retention
6 Integrity
7 Access
9. WHERE ARE WE ?
Collection of Personal Data
1 Do you collect personal data about your customer
2 Do you have a personal data inventory map on ( what data is collected?/
who collects?/ where it is stored?/ who it is disclosed to?
3 When collecting personal data, do you clearly inform the individual the
purpose for which it will be collected and obtain consent?
4 Do you ensure that 3rd party has obtained consent from the individuals
to disclose the personal data?
5 Is there a formal process for the withdrawal of consent by individuals in
respect of the collection?
10. WHERE ARE WE ?
Use Of Personal Data
6 Do you limit the use of personal data collected to only purposes that you
have obtained consent for?
7 Before data protection requirements of the PDPA come into operation,
are you using the personal data only for purposes that it was collected
for?
Disclosure of Personal Data
8 Do you limit the disclosure of personal data collected to only purposes
that you have obtained consent for?
11. WHERE ARE WE ?
Retention Limitation
15 Is there regular data housekeeping
16 Do you remove personal data no longer needed for business or legal
purposes?
12.
13. BACKGROUND OF GDPR
• The Data Protection Act 1998
• EU GDPR effective 25 May 2018
• 99 Articles in the Regulation
GDPR
14.
15. WHAT DO YOU NEED TO DO at
Your Workplace ?
11 things
16. GDPR APPLIES TO MALAYSIA IF
THEY
a. have subsidiary or branch in the EU;
b. Offer goods or services to individuals in the EU; or
c. Monitor behaviour that takes place within EU
Note: Malaysian organisations subject to the jurisdictional
reach of the GDPR must appoint an EU-based representative
17. • Data Breach Notification within 72 hours
• Appointment of data protection officer (DPO)
• Introduction of the right to erasure or to be forgotten
• Introduction of right to data portability
• Rights related to automated decision making & profiling
• Consent
• Special categories (sensitive data)
• Privacy notice
KEY HIGHLIGHTS OF GDPR
18. ACTION PLAN
MyCEB
Implementation: Stage 2
• Forms & Agreements (Internal & External)
• Person In Charge for each Division
• Established Retention Policy on Data
• Housekeeping & Erase(Clean up Data and
update)
• Provide an access for Data Subject to amend
• Exercise PDPA Policy Form across the board
• Amendment of website policy on PDPA
• Issue emails to client on the update on the
policy