Security was the sole focus in the early days of the internet. However, as social media grew, the concept of data privacy started circulating more. With companies such as Google leveraging data to improve their services and enhance their targeted ads, the question of data privacy began to dominate the internet discourse. Many of the internet’s big players have mostly been transparent with what they do and don’t do with your data.
If you wish to operate or collaborate with businesses in Malaysia, you must understand the intricacies of their laws regarding data retention and protection.
Nevertheless, with companies such as Meta (FKA Facebook) facing constant lawsuits related to data breaches, the concept of data privacy has been driven further into the public eye. Guidelines regarding the flow of data have existed since the 1980s (OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data). However, the EU only formalised many of these key concepts in the form of law in 2018 as the General Data Protection Regulation (GDPR).
Europe isn’t the only country to implement legislation that enforces (data) privacy as a basic human right. In fact, at the time of this article’s inception, at least 71% of the world’s countries had implemented some form of data protection legislation. Malaysia is one of the earliest adopters of coded legislation. If you wish to operate or collaborate with businesses in Malaysia, you must understand the intricacies of their laws regarding data retention and protection. This is what the following guide will explore.
Understanding the Purpose of Data Protection in Malaysia
There are over 26.79 million internet users on the internet. That’s 89.6% of the total population. By 2020, it had the highest internet population in South East Asia, with Thailand coming second and Singapore third. Malaysia also has an active population of social media users (just under 26 million users), with Facebook as the most popular platform of choice (22 million users).
This means there is precedence for many of its laws and attitudes toward data privacy. Essentially, understanding Malaysia’s data restrictions and regulations will require you to venture into Malaysia’s data usage past (and present).
Globally, we produce over 2.5 quintillion bytes (1 quintillion byte = 1 million terabytes) daily. Because of all the ways data can be used to understand and influence people, it’s become a commodity. Additionally, the last decade has seen more Malaysians adopt online shopping. The revenue generated from online shopping is expected to reach 10.12bn US dollars by the end of 2022. Much of this revenue is generated from purchases of items from foreign countries such as China.
Consequently, the government must regulate these transactions. It’s not just a matter of personal user security, but it also has the potential to become one of national security. Of course, no country wants all the personal data of its citizens to fall into foreign hands. Thus, certain standards, rules, and regulations must be met to protect the people of Malaysia. However, what do we mean by personal data?
What is Personal Data?
Privacy is seen as a universal human right, and thus mishandling personal data can be seen as an infringement on your privacy and basic human rights.
Personal data is defined as “any information or a chain of information that allows an individual to be identified”. Thus, the most crucial data identifies who you are (name, surname, ID/passport number), who you are connected to (people you know), and where you live (your location).
Often, it takes a combination of records or pieces of information to identify a single person. For instance, you can’t be identified simply by your first name, as many people tend to share one. You can, however be identified by your name and address. Nevertheless, personal data isn’t just limited to just textual information. For instance, you can be identified by photographic pictures, videos, and possibly sound recordings.
Some personal data is more sensitive than others. These often have special protection. For instance:
Health Information (Protected by HIPPA in most countries. Malaysia does not have an equivalent)
Race/Ethnicity
Religion
Police Records
Political Affiliations
Generally, most people should be uncomfortable with their private data falling into the wrong hands. However, data protection isn’t just a matter of comfort or public security. Privacy is seen as a universal human right. According to Article 12 of the UN Declaration of Human Rights: “No one shall be subjected to arbitrary interference with his privacy”. Mishandling personal data can be seen as an infringement on your privacy and basic human rights. Thus, it should be dealt with lawfully. This is the ultimate purpose of Malaysia’s Personal Data Protection Act.
What is the Malaysian Personal Data Protection Act?
Vendors/organisations must ensure that their IT infrastructure is secure by adopting the necessary practices and protective measures.
The Persona Data Protection Act of 2010 defines laws that protect the personal data of Malaysian citizens – particularly concerning commercial transactions. The PDPA is segmented into 7 core principles that you and your organisation should be familiar with.
The 7 key principles of Malaysia’s PDPA are as follows:
1. General Principle
First and foremost, organisations and individuals must acquire consent before they can use and process customers’/users’ personal data.
2. Notice and Choice Principle
Organisations and individuals are required to provide a written notice that gives users/customers full transparency of the type of personal data that is collected, for what purpose it will be used, and to whom the data will be disclosed.
3. Disclosure Principle
Organisations and individuals are restricted from disclosing users’/customers’ personal data to any third party without their consent.
4. Security Principle
Organisations and individuals are required to take the necessary steps to protect the user’s/customer’s personal data from being:
- Lost
- Misused
- Stolen
- Modified
- Accessed accidentally or without permission
- Disclosed without permission
- Altered
- Destroyed
This often means that vendors/organisations must ensure that their IT infrastructure is secure by adopting the necessary practices and protective measures. These measures could come in the form of software such as antimalware and firewalls, as well as cybersecurity training for employees. Additionally, organisations must create backups to mitigate loss or corruption. Data can be monitored against unauthorised alterations by implementing revision tracking solutions.
5. Retention Principle
While many of the principles in the PDPA could be regarded as common sense or practices that organisations should already be enforcing, the retention principle is a bit more specific in its requirements. The retention principle requires that organisations and individuals do not keep personal data longer than is necessary.
Furthermore, all personal data that is no longer required or exceeds a specified retention period must be erased, destroyed, and/or permanently deleted. How long organisations/individuals (as data users) can retain data depends on the data type.
For instance, payroll data that still holds legal significance can be kept for up to seven years before deletion, according to section 82 of the Income Tax Act of 1967. Inversely, personal data collected through forms during a transaction that holds no legal significance must be disposed of within 14-days after it’s processed and/or used (see paragraph 6 of the Personal Data Protection Standard of 2015). Furthermore, organisations (the data user) must instate a well-maintained personal data disposal schedule for inactive data within a 24-month period.
6. Data Integrity Principle
Organisations must take reasonable steps to ascertain the accuracy and wholeness of collected personal data. This data should not be misleading and must be kept up-to-date if necessary.
7. Access Principle
Users/customers from whom the data was collected must have the right to access said personal data and to correct it if any of it is inaccurate, incomplete, misleading, or outdated.
What Are the Repercussions of Non-Compliance?
Failure to comply with the PDPA can leave your organisation liable to pay a fine between RM 100,000 to RM 500,000 and/or serve between 1 to 3 years of imprisonment.
Failure to comply with the PDPA can leave your organisation liable to pay a fine between RM 100,000 to RM 500,000 and/or serve between one to three years of imprisonment. Commissioners of the Personal Data Protection Department (PDPD) have the power to perform inspections at any time.
You cannot take a lax approach when it comes to personal data management in Malaysia. Thus, you must take steps to protect your customers’/users’ personal data to, in turn, protect your company and its image. Failing to meet these laws also has the potential to strain international relations between Malaysia and your company’s originating nation. You don’t want to be the reason that a dark shadow is cast on your country. Besides studying all related legal material, what can you do to ascertain that you meet personal data protection and retention laws in Malaysia?
How to Meet Malaysian Data Retention and Protection Regulations?
The first step is to be cognizant of how long you can retain data, especially data that has already been processed and used. Again, the length of time you can keep and/or store personal data depends on its legal value. However, in most cases, you’ll be working with consumer data with very little legal worth. While dormant, unused personal data can be kept for up to 24 months, it is recommended to erase it within two weeks.
Personal data should be kept in completely cyber-secure storage that is encrypted and backed up. You must develop and schedule routine data erasure. Typically, this can be automated. However, most organisations take the intricacy of thorough data erasure for granted. Simply shredding or deleting the data won’t do. Data recovery experts can use forensic tools and other techniques to recover data that was seemingly permanently deleted.
Hence, you shouldn’t leave data deletion up to your general staff. We advise you to partner with a data and IT asset management partner that can help you completely erase and destroy all personal data. SPW is one such organisation.
We are competent in multiple data erasure techniques, including data sanitisation and data grade wiping. We also operate in multiple regions across the globe, including Malaysia. When you’re looking for data destruction solutions, you must ascertain that they are privy to the regulations and restrictions of the countries in which you operate. This allows them to understand the extent of your data erasure requirements. SPW offers these capabilities. You won't have to worry about the PDPA hanging over your head like the fabled Sword of Damocles.
Conclusion
The PDPA isn’t the only factor in determining how to handle data in Malaysia. Effectively, organisations must consult additional reading material such as the 2015 PDPS to determine the correct standards and procedures concerned with handling data in Malaysia. Nevertheless, there are some simple rules of thumb you can follow.
For instance, your organisation must maintain exceptional data hygiene by ensuring that it regularly purges dormant data that’s outlived its usefulness. Aim to do it within two weeks of processing said data. Notwithstanding, your organisation should consider the how as well as the when. You need an effective and reliable data disposal solution that can ensure that all data is erased timeously.
Thus, allowing your organisation to meet the standards, regulations, and rules the Malaysian government sets. This will save you from scandals or penalties that may inflict permanent damage to your company’s brand. SPW has the experience, connections, and expertise to effectively destroy and erase all personal data to ensure that your organisation stays on the right side of the law. If you want more details about how we can help you ensure you meet Malaysian data retention periods, do not hesitate to contact us.
We Have Your Back
Our secure IT asset disposal services provides the dependable solution you need for your e-waste and end-of-life asset needs. Our team applies safe and sustainable steps that are regulatory-compliant at every stage of the process.
From the point of collection, auditing, shredding and/or wiping to remarketing and/or donating your IT assets, you can be sure with our end-to-end services that we take your security seriously.
We have coverage against the loss of or damage to your goods during transportation. This includes marine cargo shipment from the ports to the warehouses
Our professional team of asset removers ensure your devices are packed safely into our vehicles which are also equipped with GPS-tracking systems. We have armed our warehouses with fingerprint-only access complete with security alarms and 24/7 CCTVs in place
Our reach spans across the globe through our networks of partners and vendors. Wherever your business is based, you can leverage our worldwide network and we would be happy to assist you throughout your ITAD journey
SPW is Asia's go-to solutions provider for data destruction, data erasure, IT asset remarketing, and environmentally-responsible IT asset disposals. Contact us and learn how you can incorporate an ITAD strategy into your business today.
