Getting the 'G' in ESG right: the Personal Data Protection Act 2010 and obligations for companies operating in Malaysia

Introduction

In the digital age, the safeguarding of personal data has emerged as a paramount concern for individuals and businesses alike. With the proliferation of internet usage and the digitalisation of corporate operations, the protection of personal information from misuse has become crucial. Indeed, 94% of organisations report that their consumers will not buy their products if data is not properly protectedⁱ.

In Malaysia, the Personal Data Protection Act 2010 (PDPA) is landmark legislation for data privacy and protection. It aims to “regulate the processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto”ⁱⁱ by providing a legal framework for the collection, processing, and storage of personal data. This article offers a comprehensive overview of the PDPA, focusing on its implications for Malaysian businesses.

The link between the PDPA and ESG Principles

The connection between Environmental, Social, and Governance (ESG) criteria and the Personal Data Protection Act 2010 (PDPA) in Malaysia exemplifies the intertwining of corporate responsibility and legal compliance in safeguarding personal data. Under the "Social" dimension of ESG, companies are increasingly scrutinized for their practices concerning data privacy and protection, reflecting societal expectations for ethical handling of personal information.

The PDPA, serving as a comprehensive legal framework, mandates businesses to adopt practices that ensure the privacy and security of individual data. Compliance with the PDPA aligns with the ESG criteria by demonstrating a firm's commitment to social responsibility and governance excellence. It underscores the importance of ethical data management and protection as a key aspect of corporate social responsibility, enhancing trust among consumers, investors, and stakeholders, while mitigating legal and reputational risks associated with data breaches and non-compliance.

Key Principles of the PDPA

Division 1 of the PDPA sets out its seven foundational principles, which establish legal obligations for data users. A data user is a person “…who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor”ⁱⁱⁱ. Each of these principles shall be explored in detail below.

General Principle

The General Principle is the cornerstone of the PDPA, stipulating that the consent of the data subject is paramount for data processing activities. This principle mandates that businesses must obtain consent from individuals before processing their personal data^iv. However, if the processing of a person’s data is necessary for^v:

• The performance of a contract to which the data subject is a party;
• The taking of steps at the request of the data subject with a view to entering into a contract;
• Compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;
• Protection of the vital interests of the data subject;
• The administration of justice; or
• The exercise of any functions conferred on any person by or under any law,

then the data user may still process their personal data. However, this does not apply where the data is sensitive, meaning “…consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette”^vi. Furthermore, it is mandatory that personal data shall not be processed unless^vii:

• The personal data is processed for a lawful purpose directly related to an activity of the data user;

• The processing of the personal data is necessary for or directly related to that purpose; and

• The personal data is adequate but not excessive in relation to that purpose.

Notice and Choice Principle

This principle requires that businesses provide clear and comprehensive notices to data subjects at the point of data collection. These notices must be given as soon as practicable by the data user and must^viii:

• Inform the subject that their data is being processed, with a description of the data being processed;

• The purpose behind the data being processed;

• Any information available to the user on the source of the data;

• The subject’s right to request access to and request correction of the personal data, including personal data relating to others identified from the data;

• The class of third parties to whom the information may be disclosed

• The choices and means offered for the limiting of processing personal data

• Whether the supply of the data is obligatory or voluntary; and

• Where it is obligatory to supply the data, the consequences for the subject if they fail to supply it.

Also, the said notice must be in Bahasa Malaysia and English.

Disclosure Principle

The Disclosure Principle limits the circumstances under which personal data can be disclosed to third parties. It mandates that data must not be shared without the consent of the data subject, except where^ix:

• The disclosure is required by the law or ordered by court;

• The disclosure is necessary for the prevention or detection of a crime;

• The user acted in the reasonable belief that he had the right to disclose it

• The user acted in the reasonable belief that he would had the subject’s consent

• The disclosure was justified in the public interest in circumstances as determined by the Minister charged with the responsibility for the protection of personal data.

Security Principle

The Security Principle obliges data users to implement appropriate security measures to protect personal data against potential risks. These measures should guard against data loss, misuse, unauthorized access, disclosure, alteration, or destruction. The principle emphasizes the need for physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of personal data^x.

‍Retention Principle

According to the Retention Principle, personal data should not be kept longer than is necessary for the fulfilment of its purpose^xi. Once the purpose for which the data was collected has been achieved, businesses are expected to destroy or permanently delete the data^xii. This principle aims to minimize the risk of data breaches and ensure that personal information is not held indefinitely without a valid reason.

Data Integrity Principle^xiii

The Data Integrity Principle requires businesses to maintain the accuracy, completeness, and recency of personal data. Data users must take reasonable steps to ensure that the personal data they process is not misleading and reflects the current situation of the data subject. This principle is crucial for ensuring that decisions based on personal data are made using the most accurate and relevant information.

Access Principle^xiv

Finally, the Access Principle empowers individuals with the right to access and correct their personal data held by businesses. Data subjects can request information on how their data is being processed and ask for corrections to be made if the data is inaccurate, incomplete, or misleading. This principle ensures transparency in data processing and allows individuals to maintain control over their personal information.

Compliance for Malaysian Businesses

For Malaysian businesses that are data users^xv, compliance with the PDPA is not optional but mandatory. Businesses must ensure that their data collection, storage, and processing practices are in line with the PDPA's provisions. This involves conducting data audits, revising privacy policies, implementing adequate security measures, and ensuring that data subjects are informed of their rights.

Failure to comply with the PDPA can result in substantial penalties, including fines up to RM300,000 and imprisonment for a term not exceeding two years, or both ^xvi. Therefore, businesses must take proactive steps to comply with the Act, such as implementing comprehensive data security measures and fostering a culture of data privacy awareness.

Implications for Business Practices

The implementation of the PDPA necessitates a shift in how businesses approach data management. Companies must now consider the legal implications of their data handling practices and adopt a more transparent approach towards data processing. This includes obtaining explicit consent from data subjects before collecting their personal information, ensuring the security of the data collected, and providing individuals with the right to access and correct their data. Moreover, the PDPA also affects cross-border data flows, as businesses are restricted from transferring personal data outside of Malaysia unless to countries specified by the Minister, which are considered to have an adequate level of data protection^xvii.

Conclusion

The PDPA marks a significant milestone in Malaysia's journey towards safeguarding personal data in an increasingly digital world. It establishes a comprehensive legal framework that demands rigorous data protection standards from Malaysian businesses, thereby instilling a culture of privacy and trust within the digital economy. The Act's foundational principles offer a blueprint for responsible data management, ensuring that personal data is processed with the utmost respect for individual privacy.

As we move forward, the role of data protection will only grow in importance, driven by technological advancements and the expanding digital economy. The PDPA provides a solid foundation for Malaysia to navigate this complex landscape, ensuring that personal data is protected, and privacy is respected. For businesses, embracing the principles of the PDPA is not just about compliance; it's about being part of a larger movement towards a more secure, transparent, and trust-based digital future.

If you would like more information on conducting data audits, revising privacy policies, implementing adequate security measures, and ensuring that data subjects are informed of their rights, contact us at info@aqranvijandran.com.

This article was written by Vishnu Vijandran and only contains general information. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. This article is also available at

_________________________________________________________

[i] Cisco, ‘Cisco 2024 Data Privacy Benchmark Study’ (Cisco) <https://www.cisco.com/c/en/us/about/trust-center/data-privacy-benchmark-study.html> accessed 12 February 2024.

[ii] Preamble, Personal Data Protection Act 2010.

[iii] ibid 4.

[iv] ibid 6.

[v] ibid 6(2).

[vi] ibid 4.

[vii] ibid 6(3).

[viii] ibid 7.

[ix] ibid 8, 39.

[x] ibid 9.

[xi] ibid 10(1).

[xii] ibid 10(2).

[xiii] ibid 11.

[xiv] ibid 12.

[xv] ibid 2.

[xvi] ibid 5(2).

[xvii] ibid 129.