Once implemented, the industry would be given a three-months grace period to complyPreview Changes. A three-months period is not exactly long enough for any (re)insurer to have any framework efficiently in place.
The least that the insurers can do now is to familiarise with the Act and not forgetting structuring out a viable framework - at least a framework that works when it matters.
Understand the PDPA is not exactly any mammoth task.... What's important is for insurance practitioners to acquire a reasonable level of understanding of the core terms featured within the Act...
It is good to start off with the understanding of the seven (7) data protection principles that would form the basis of the PDPA:
(We have highlighted those key terms in CAPITAL LETTERS, which we had defined them below this section.... scroll down if you need to make the reference
- General Principle
- In general, the PROCESSING of PERSONAL DATA requires CONSENT....
- Notice & Choice Principle
- In principle, DATA USERS are required to notify the DATA SUBJECTS regarding the purpose for which the data is collected and about the right to request access and correction of the PERSONAL DATA.
- Disclosure Principle
- Simple understanding here.... no PERSONAL DATA shall be disclosed without the consent of the DATA SUBJECT.
- Security Principle
- The DATA USER must take practical steps to protect the PERSONAL DATA from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
- Retention Principle
- PERSONAL DATA processed for any purpose shall not be kept longer than is necessary for the fulfillment of the purpose to which it was obtained for
- There are options for an exemption, i.e. by morphing & compiling those PERSONAL DATA into data processed for purposes of preparing statistics or carrying out research provided results of research do not reveal identity of DATA SUBJECT.
- Data Integrity Principle
- DATA USER shall take reasonable steps to ensure the accuracy and to maintain the data current for the purpose it was collected for.
- Access Principle
- DATA SUBJECT shall be given the necessary access to his or her personal data and shall be able to correct the PERSONAL DATA where the data is inaccurate or incomplete.
Understand the important terms in the insurance context:
1. PERSONAL DATA3. DATA USER (or Data Controller)
any transaction of a commercial nature, whether contractual or otherwise
information processed or intended to be processed wholly or partly by
is a legal person who processes the data on behalf of the DATA USER
- processed for the purpose of a credit reporting business carried out by a credit reporting agency under Credit Reporting Agencies Act 2009
- processed outside Malaysia unless that personal data is intended to be further processed in Malaysia, and
- relating to Malaysia federal and state governments
For the purpose of this blog posting we will not discuss FRAMEWORKS & MODELS for the purposes of efficient and effective implementation of PDPA compliance - suffice we keep it simple here by focusing on the understanding part. We hope to work on FRAMEWORKS in the later posting.....
With this new Act this would mean (re)insurers & (re)takaful entities must make sense of the following matters, amongst the more important ones:
In conclusion, do or die... do give a thought to the PENALTIES & FINES. The penalties & fines for breaching PDPA include the imposition of fines, and / or a term of imprisonment. Also, it is good to note, directors, CEOs, COOs, managers or other similar officers do have joint liability for non-compliance by the said (re)insurer or (re)takaful entities in the absence of any due diligence defence.
- What are new contents for PRIVACY NOTICES and how is the PERSONAL DATA PROTECTION policy written as an integral part of it?
- Re-examining existing data collection practices, especially if this involves the purchasing of database from third party,
- How to obtain consent to process efficiently?
- What are the best practices in the use and transfer of personal information?
- What are the mechanisms to establish for individuals to exercise their access and correction rights,
- How are we to ensure data security, retention policies and practices conform to PDPA?
- What would be the mechanism when dealing with specific cross-border limitations in efforts to transfer and share data within one's own global organisation?
- An individual who is identified or identifiable from the data (or information)
possessed by the corporation....