PDPA Malaysia Penalty: What is the Cost of Non-Compliance?
Non-compliance with PDPA Malaysia's principles can come with hefty costs that can damage your business. On top of caring about the day-to-day operations of running your business, you also need to ensure that your business is not violating the PDPA principles.
This is easier said than done because we all know how confusing the world of personal data protection can be. To help your business stay on the right side of the law, we have compiled this complete guide on avoiding non-compliance with the PDPA Malaysia.
Let's dive in.
Key Takeaways
- PDPA gives Malaysian citizens more control over how, when, and why their data is being collected and processed. The law provides data subjects with rights and responsibilities that businesses must carry out.
- Businesses can receive fines of up to MYR 300,000 ($70,000) and two years imprisonment for breaching one of the seven principles of the Malaysia PDPA.
- Businesses that collect, process, or share personal data without consent can attract fines of up to MYR 500,000 and three years of imprisonment.
What is PDPA Malaysia?
PDPA Malaysia is a personal data protection act that was introduced in Malaysia in May 2010 and only received Royal Assent in June 2010 before becoming enforceable in November 2013.
The new personal data law now gives Malaysian citizens more control over how, when, and why their personal data is being collected and processed. The law provides data subjects with rights and responsibilities that businesses must carry out.
Over the years, there have been some amendments to the PDPA. In 2015, additional security standards were introduced with the Personal Data Protection Standard.
Then, in 2016, there were two additional amendments: the Order Amendment and the Compounding of Offences Regulations. The latest amendment, called the Personal Data Protection (Appeal Tribunal) Regulations 2021, was passed in 2021.
The PDPA Malaysia is enforced by the Malaysian Ministry of Justice, which belongs to the Commissioner of the Department of Personal Data Protection (PDP).
Scope of PDPA Malaysia
Like most other personal data protection acts, the scope of application is broken down into three sections:
- Personal
- Territorial
- Material
On a personal level, the PDPA Malaysia governs that any individual or data controller that is involved in the processing of personal data is subject to the principles of the PDPA. However, third parties processing on behalf of the data controller are not subject to the PDPA.
Regarding the territorial scope, if you are processing personal data obtained from Malaysian citizens, your business is subject to the PDPA. An exception to this is personal data that is processed outside of Malaysia.
The material scope of the application refers to who is collecting, processing, and sharing personal data as well as the purposes of the collected personal data.
There are some exemptions to the PDPA scope of application. These include:
- Data handlers processing data outside of Malaysia
- Data processing by the Federal and state governments of Malaysia
- Data processing for judiciary purposes
- Data processing for statistics
- Data processing for journalistic, literary, or artistic purposes
- Data processing for the safety of the public and the mental and physical health of a data subject
There are certain exemptions provided by the PDPA. For example, data used for personal or household activities are not subject to the PDPA, nor is data used by state or federal governments or for criminal investigation purposes.
- Want to comply with PDPA Malaysia? Contact us now today for a 100% free consultation.
PDPA Malaysia Penalty
Any sort of violation of the 7 principles of the PDPA Malaysia will be overseen by the Commissioner of the Department of Personal Data Protection (PDP) as outlined in Article 55 of the PDPA.
The PDPs are the ones who enforce the regulations and are also the ones who decide what sort of penalty a non-compliant business will receive. The PDP issues both monetary and criminal penalties for non-compliance.
PDPA Malaysia has kept things simple when it comes to non-compliance violations by issuing fines of up to MYR 300,000 ($70,000) and two years imprisonment for breaching one of the seven principles.
Consent is important in PDPA Malaysia, and so any business that unlawfully collects, processes, or shares personal data can attract fines of up to MYR 500,000 and three years of imprisonment.
Violation of the PDPA territorial scope can see your business fined up to RM300,000 and two years imprisonment.
How to Prevent PDPA Penalties?
As you can see, PDPA Malaysia is quite strict with the penalties issued, so you'll want to avoid attracting one of them by making sure that your business remains compliant with the law. You can do so by following these guidelines:
Abide by data subject rights
First and foremost, your business should always ensure that you are abiding by data subject rights. The PDPA has given data subjects more control over how their personal data is collected, processed, and transferred.
Should you violate any of these rights, you may find your business being issued with monetary or criminal penalties.
There are four data subject rights that you need to be aware of:
- Right to be informed
- Right to access
- Right to object/opt-out
- Right to prevent processing of personal data for direct marketing
In a nutshell, your business has to issue written notices for consent in English and Malay to data subjects before collecting, processing, and transferring their personal data. Under the PDPA, data subjects have the right to know how, when, why, and where their personal data is being used.
Data subjects also have the right to access their collected personal data and make requests for rectification should their information be incorrect, misleading, or no longer accurate.
The PDPA Malaysia gives data subjects the right to withdraw consent via written notice. If your business continues to collect, process, and share this personal data, you will be issued a fine.
Register with the Commission if needed
PDPA Malaysia requires that certain classes of data users need to register with the Commission. Businesses within the specified categories must pay a registration fee of 100 to MYR 400.
Once the fee has been paid, businesses will be issued with a certificate of registration that is valid for 12 months and will need to be renewed thereafter. These certificates will need to be displayed at each business branch.
Businesses that fall under the following sectors will need to register with the Commission:
- Financial institutions
- Insurance
- Health
- Tourism and hospitality
- Education
- Transport
- Services such as legal, engineering or retail
- Real estate
- Moneylenders
- Utilities
Follow data localization rules
The PDPA Malaysia prohibits data transfer of personal data collected in Malaysia out of the country unless it is being transferred to a country that has been specified in the Official Gazette by the Minister.
There are some exceptions to this, like if the person the data is about consents or it is necessary to send the data because of a contract and sending the data is safe.
Maintain records
To remain compliant with the PDPA Malaysia, you need to ensure your business is keeping updated records of any applications, requests, notices, records of consent, consent withdrawals and any other relevant information about the collecting, processing, and sharing of personal data.
These records need to be maintained regularly so that they are ready for inspection should the Commission request it.
Report data breaches
While there is no current requirement for businesses to notify the authorities about a data breach, a Public Consultation Paper 1/2018 has been issued by the authorities to introduce a data breach notification regime.
This new regime would state that businesses have 72 hours from learning about the data breach to report it to the Commission. The paper still needs to be gazetted.
Certain sectors, including the health and finance sectors, have data breach notification obligations posed to them by regulators and authorities.
If your business is in the health sector and a data breach occurs, you are obligated to report this to the Director-General according to Section 37(1) of the Private Healthcare and Facilities Act 1998.
For businesses within the finance sector, there are a number of different obligations. For example, the Guidelines on Data Management and Management Information System ('MIS') Framework requires businesses to inform the Central Bank of Malaysia of potential security risks and breaches.
Enter into contracts with data processors
If your business is using a data processor to process collected personal data on your behalf, PDPA Malaysia has measures in place to provide data privacy.
This means ensuring that your data processor has sufficient security measures governing the data processing and that your business enters into a contract with third-party processors.
Follow protocols regarding children's data
Make sure that if your business is collecting personal data from minors, which, according to the PDPA, are persons under 18 years old, you are getting consent from a parent, legal guardian, or someone who has parental responsibility for the minor.
Collecting, processing, and transferring the personal data of a minor without consent can result in heavy monetary fines and criminal penalties.
FAQs
How do I report a personal data breach in Malaysia?
While data controllers have no obligation to notify authorities of a data breach, data subjects can report them to the Personal Data Protection System (SPDP).
Stay compliant by staying updated on data breach notification best practices.
What is the penalty for a PDPA breach in Malaysia?
Because a PDPA breach would be considered a violation of the principles of the PDPA Malaysia, businesses can expect fines from RM100k to 500k and up to three years of imprisonment.
Identify data security risks by hiring a DPO to keep data breaches at a low.
Does GDPR apply to Malaysia?
No, unless your business in Malaysia is offering goods, services, or dealing with the personal data of residents in the EU.
Learn more about the GDPR here.
What is the retention period for personal data in Malaysia?
The PDPA Malaysia states that personal information used for commercial transactions needs to be disposed of within 14 days. Businesses also need to have a data disposal schedule for a period of 24 months for inactive data.
Learn more about what sensitive personal information is.
How Can Captain Compliance Help?
Non-compliance with the 7 principles of PDPA Malaysia can result in your business being issued fines and even imprisonment, depending on your violation. This can be damaging to your profits and your business's reputation.
Stay on the right side of the Malaysian personal data protection principles by choosing Captain Compliance to help you navigate the complex nuances of the Personal Data Protection Act. To help businesses like yours, we offer corporate compliance and outsourced compliance solutions, like compliance training, to help your business remain compliant with the 7 principles of PDPA Malaysia.
Get in touch with Captain Compliance today for a complimentary consultation.