PDPA: Malaysian Data Privacy Regulations in App Development
At Lizard Global, the privacy of our clients and their users is our number one priority when it comes to creating our digital solutions. That’s why we make sure that the tools we use and the technologies we implement are always aligned with the latest laws and regulations regarding data privacy. In our article on European privacy regulations in app development, you could read about the General Data Protection Regulation, or GDPR, and how it affects the way app creators handle our personal data. This time, we zoom in on privacy regulations in the Association of Southeast Asian Nations (ASEAN), and the Personal Data Protection Act in Malaysia in particular.
What is PDPA?
On November 15, 2013, the Personal Data Protection Act (PDPA) was introduced and put into effect in Malaysia. It establishes a comprehensive cross-sectoral framework for safeguarding personal user data in commercial activities. Given the rising number of credit card and identity theft frauds, as well as a marked increase in companies selling personal data without the user's consent, the PDPA was enacted to boost consumer confidence in business transactions and e-commerce. Any person who collects and processes personal data in the context of business transactions is subjected to the PDPA.
The PDPA consists of seven principles, which we will discuss in detail later on:
- Notice & choice
- Data integrity
PDPA and GDPR
While Southeast Asia (ASEAN) works to protect the data and privacy of its more than 600 million members, the European Union, a similar regional organization, has implemented the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. The GDPR establishes a set of uniform data protection standards for the EU's 28 member countries, allowing citizens to understand how their personal information is used. The GDPR not only provides EU citizens more control over their personal data, but it also makes the regulatory environment for multinational enterprises easier to navigate by consolidating EU regulations.
The distinction between the EU and ASEAN is that the EU has a parliament with legislative power, whereas ASEAN has the ASEAN Inter-Parliamentary Assembly, which only possesses the power of persuasion. However, with the estimated seven million EU residents that visit ASEAN countries each year, including for business purposes, many Malaysian organizations are compelled to comply with the GDPR. As mentioned in our article on the GDPR, every organization that interacts and does business with EU citizens, no matter the location, are compelled to comply with the GDPR. So, while Malaysia possesses its own privacy regulations, the nation is often also dependent on international regulations such as the GDPR.
Then and now
Southeast Asia has made a rapid change in digitization over the past few years. Before this change, digital data protection has not been a priority, compared to more urgent issues like rapid modernization and political stability. When technology started to become as ubiquitous in Southeast Asia as it is in Europe and the US, data security became more important, especially within global commercial organizations. But whereas Europe introduced its very first data protection directive in 1995, Southeast Asia’s first big steps towards data protection only appeared after 2010.
Back in February 2020, the Malaysian Department of Personal Data Protection (JPDP) organized a public discussion on changes to the PDPA. The discussion’s outcomes resulted in high-level changes to the act in 22 different areas, including topics such as privacy by design, data portability, breach notifications and other subjects that are closely related to Europe’s GDPR. A year before the meeting of the JPDP, research had been conducted to compare the PDPA to other international data protection regulations in order to explore ways to strengthen the Act. Unfortunately, internal governmental changes and the severe consequences of the COVID-19 pandemic in Malaysia has slowed the progress into researching and improving data protection.
PDPA and App Development
As mentioned at the beginning of this blog, the PDPA consists of seven core principles, all relating to the use of personal data for commercial purposes, among which in the mobile applications we use on a daily basis. Let’s have a closer look at each of them:
The first principle states that app owners cannot obtain and use personal data unless the user has granted a written consent. Following the PDPA, the personal data of a user can only be processed when it is done for lawful purposes and directly related to the functionalities of the application, only requiring the necessary data.
2. Notice & choice
Under the notice and choice principle, app users must be informed by the app owner about the use of their personal data before giving consent. This is usually done in the form of a link to the terms and conditions and/or privacy statement on the website.
According to the disclosure principle, an app owner is not allowed to disclose the personal data of a user when the purpose is other than the one stated within the terms and conditions. Additionally, the app owner is not allowed to share data with any third party that the user has not agreed to.
This principle requires the app owner to take specific steps to protect the personal data of their users against abuse, accidental or unauthorized disclosure, destruction or loss. These specific steps must be documented in a security policy that is accessible for the user to read.
The retention principle states that personal data can only be kept for as long as necessary. Once a user’s personal data is no longer needed for using an app’s functionalities, the app owner must permanently erase the data. This way, the user can be sure that his/her data is not being used for any other purpose than the application they were using.
App users have the right to access and amend their personal data if it is incomplete, misleading, inaccurate, or outdated. However, the PDPA also implements the rule that, if an app owner doesn’t agree with the changes suggested by the user, they have the right to refuse to comply with the corrections.
7. Data integrity
According to the principle of data integrity, an app owner must take reasonable steps to ensure that all the personal data that’s being collected is accurate, complete, recent, and not misleading. If a user contacts the app owner about the incorrectness of their personal information, the app owner must immediately implement the changes if they agree with the user’s request. When additional information is required, the app owner has to inform the user to make sure the data is complete.
Want to know how we ensure the privacy of our user data in every single application we create? Check out our security documentation, which tells you all about the technologies we use to develop our apps as securely as possible.
Data protection at Lizard Global
The GDPR requires data controllers and processors like app creators and owners to take reasonable steps to protect the privacy of their users. At Lizard Global, our applications are built with “privacy by default”. Privacy by default refers to the fact that app developers make sure that their application is built and marketed with the most secure privacy settings by default. The settings must be configured in such a way that, whenever a user starts using the app, they only provide the data that is absolutely necessary in order to use the app’s functionalities.
Do you want to know how you can make your own application as secure as possible? Check out this article with 5 tips and tricks to optimally secure your app.
For every application we create, we make sure that only authorized people have access to user data, and then only when absolutely necessary. We assess the security risks associated with all of our digital solutions and ensure that access is only granted when it is absolutely essential. We prioritize the security of your user data by ensuring that our technology is written in such a way that it only requires minimum access to user data to function properly. A social media platform should be encouraged to allow users to configure their profile settings in the most privacy-friendly ways possible, such as limiting the visibility of a user's profile from the start so that it is not accessible by default to an endless number of people.
Besides privacy by default, we also make sure that we continuously use the latest cutting-edge data protection technologies, such as encryption protocols and blockchain technologies. In the event of a physical or technological problem, we must make sure to quickly restore the data and make it available again without losing its protection. As a full-stack app development partner, it is also our responsibility to continuously test, assess, and evaluate the security of our applications. User data must be safeguarded at all times, during the data processing and storing processes as well as on the user's device itself.
Need a hand?
Are you looking for a digital partner for the development of your application? At Lizard Global, no challenge is too big. We walk you through the entire process of app development and make sure your app is in line with your target audience and your market and industry, using cutting-edge technologies and following the latest laws and regulations in cybersecurity.
Ready to team up? Fill in our contact form and receive a free digital consultation session with our experts in the field to find out how we can start an award-winning partnership!