26 May, 2016
We have recently completed a Personal Data & Privacy Act (“PDPA”) compliance exercise for a local SME client which owns several car service centres across Malaysia.
After a short introductory discussion, Management recognised the business and reputational value in respecting their customers’ data privacy. They appreciated that having a systematic procedure to collect, process, use, secure and destroy customer personal data within the organization not only minimizes their legal liability, but also enhances customer confidence in their brand.
We worked out a timeline for the PDPA audit to cover no less than 6 departments (Retail, Marketing, IT, Finance, Human Resources, Procurement) within the organization.
Our first step was to conduct interviews with executives of each department, to identify the existing personal data flow within the organization. Our questionnaire covered all 7 principles of the PDPA in detail. This enabled us to understand
what the organization does and how it does it, in respect of personal data protection.
From the interviews, we identified areas of weaknesses & potential breaches, which could attract fines of up to RM500,000 per breach and put the directors at risk of imprisonment.
An example of a ‘high risk area’ is where requests are made by customers to opt-out from marketing messages go unheeded. There was no procedure within the company to comply with such requests. These requests may develop into complaints to the Personal Data Commissioner, which may then result in an investigation by the Commissioner.
Another example of risk exposure we came across was the indefinite retention of customer and employee personal data, beyond any justifiable purpose.
Now for the real work.
We tailored workflows and specific recommendations to strengthen PDPA compliance of the organization, and to ensure practical compliance with the PDPA Standards. Throughout this process, our priority was to strike a balance between ensuring compliance with the law and commercial practicality for our client.
An example was on the issue of ‘how to obtain written consent from existing or past customers’? At times where the client found it impractical to solicit written consent, we recommended other less intrusive options to consider, which were still defensible under law.
In order for our work products to be relevant and usable for our client (and their entire ground team), we obtained management’s input throughout. We were constantly balancing various factors of customer service, brand reputation, logistical convenience, industry standards and business needs of the business with legal compliance. Our client really appreciated this.
Here are some examples of the work products that we delivered:
- Modification of existing forms, procedures, HR handbook, contracts to incorporate PDPA clauses
- Creation of new PDPA notices and policy
- Implemented new procedure for data request and data change by customer & employees
- 1 page workflows per department for easy reference by management and staff
- Table highlighting follow up compliance steps for management to implement at this own time – comprehensive IT policy, marketing materials, update website
We concluded the PDPA compliance exercise with a training session for the management team and compliance officer, to provide a basic understanding of the 7 PDPA principles and how they translated into the day to day business.
For further information, please contact:
Shawn Ho, Partner, Donovan & Ho