Data protection: 'A concept is just a concept if the implementation isn't right'

The transitional grace period for the Singapore Personal Data Protection Act (PDPA) will end on July 2, while Malaysia’s privacy law has come into force on Feb. 15 this year. With the full-fledged enforcement of these legislations, stakeholders across jurisdictions and sectors are eager to take the necessary steps to ensure their data management mechanisms and privacy provisions are compliant with the law. In this context, senior-level legal experts, Lily Khairi and Amir Zharif Abdullah of Shell, Harminder Jaila of Prince Court Medical Centre and Ainul Azlinda Binti Inon Shaharuddin of Telekom Malaysia (TM) provide hands-on advice on addressing pressing matters such as cross-border data transfer, external stakeholder management, education and training, and innovative initiatives such as Privacy by Design.

Q: What are the building blocks of an effective data protection framework/mechanism?

Abdullah and Khairi:
• Getting the right people.
• Setting the right tone.
• Implementing the right plan.

Jaila:
• Robust framework with clearly defined processes and roles of employees.
• Committed management to drive and provide resources.
• Clear guidelines from the enforcement authority.

Shaharuddin: A good Personal Data Protection Programme (PDPP). TM started its own PDPP in 2011. In a nutshell, TM’s PDPP comprises of management buy-in, setting up of a PDP taskforce, a PDP working group, gap analysis, and an interview session with divisions in TM that includes review of existing agreements, T & C, forms, policies and procedures. A Privacy Officer was appointed to assist with the compliance exercise and to ensure the smooth implementation of the PDPP. The Privacy Officer and his team also conduct reviews and amendments to the existing policies, forms and agreements, and issued reports to the heads of the divisions and the PDP taskforce. They are also in charge of ensuring periodic PDP taskforce meetings and providing trainings to create awareness among employees.

Q: What do you consider the top three challenges in the protection of personal data to be?

Abdullah and Khairi:
• Identifying the different streams of personal data collected by the company.
• Implementing a robust, but cost-effective, compliance programme.
• Lack of clarity on the applicability of certain provisions of the Act post-enforcement of the same.

Jaila:
• Change management in the course of protecting personal data (review the process, introduce new framework, cultivate a new culture, etc)
• Security concern (e.g. leakage of data) not within the employer’s control – though may raise defence in court, data leakage damages organisational reputation and leads to customer dissatisfaction.
• Difficulty in contacting data subject / communicating / reobtaining consent (after a year’s lapse).

Shaharuddin:

• Balancing business needs against the protection of personal data.
• Changes to the business process and procedure.
• A shift in mindset.

Q: How do you ensure data protection compliance covers the company’s interaction with all internal and external stakeholders including customers, employees and vendors?

Abdullah and Khairi:
It is important to involve all stakeholders in the journey towards compliance. Clear communication is vital to ensure that everyone is aligned as any gaps may lead towards an incomplete compliance plan.

Jaila:
• Mapping out the process of your business operation (including its supporting activities) and then identifying all sources of personal data that may be collected.
• Based on the sources of personal data, analyse the extent of compliance applicable to them. Examples of
o Consent for processing of personal data
o Consent for processing of sensitive personal data
o Consent for transboundary transfer

Overall, this is an on-going process as the stakeholders’ constituents may be very dynamic.

Shaharuddin: Each company must first identify the stakeholders and the mode of communication available for each type or group of stakeholders. Communication may come in physical forms, as digital learning modules for on-boarding exercise, publication in mainstream newspapers, websites, emails, letters, bill messages, bill inserts, snippets, trainings and awareness programmes.

Q: Could you please share some advice on how to set up an efficient in-house data protection team?

Abdullah and Khairi:
• Appoint a focal point for each business/function.
• Appoint a local subject matter expert for PDPA.
• Leverage on internal (if there are experts from the organisation outside of the home country) and external resources (legal firm).

Jaila:
• Train them on legal requirements of data protection which is customised to the industry, if not the company’s processes.
• Brainstorming sessions with multidisciplinary teams to facilitate the process of knowing the company’s needs/ processes better – more effective in customising the procedures for the company
• Audit is a great learning experience – tie up PDP requirements with internal audit programmes and expose the team to auditing on PDP.

Shaharuddin: Management buy-in is key to the setting up of an efficient in-house data protection team. You may obtain the management buy-in once the management is aware of the severity of an impact PDPA might have on the company. Towards this end, we would suggest an awareness session be conducted solely for the management, followed by a request for the management to “sponsor” or “support” the setting up of a PDP taskforce. The PDP taskforce should have a “Terms of Reference” or TOR that includes the appointment of a Privacy Officer, as well as the endorsement of PDP programmes and controls.

Q: How does your company face challenges arising from cross-border data transfer? What guidelines do you expect the government to put in place?

Abdullah and Khairi: There are already provisions for the transfer of data outside of Malaysia (i.e. powers of the Minister to declare a list of countries personal data can be transferred to). We hope that the government looks at the EU model where a company is allowed to transfer personal data to a related company outside of the EU, if the related company adopts the Binding Corporate Rules.

Shaharuddin: We do the best we can by ensuring the relevant clauses are in place in the agreements, and the necessary consent has been obtained from customers or employees, respectively.

Q: Do you think Privacy by Design deployment will help to minimise potential data security breaches? If yes, does it really help to build the business brand?
Abdullah and Khairi: It is a good concept, but we need to recognise that a concept is just merely a concept if the implementation is not right. If implemented correctly, the concept may be used to build a business brand – especially if it involves a company which deals with large volumes of personal data.

Shaharuddin: Personally, I’m inclined to agree that Privacy by Design will help to minimise potential breach. However, the implementation or standards may differ for each company unless a guideline or standard has been issued by the regulators for the companies to adopt or follow.

* * *

Would you like to find out more from these experts? Join ALB’s Data Protection Conference, to be held on June 17 at the Royale Chulan Kuala Lumpur!

Subscribe to our newsletter