WORKSHOP OVERVIEW
The purpose of conducting the Personal Data Protection Act 2010 (PDPA 2010) workshop/training is to create awareness on PDPA 2010 requirements among individuals who deal with customer’s personal data. This workshop will be providing the rules and regulations, coupled with do’s and don’ts with customer’s personal data in order to avoid or minimize the risk of the same being unlawfully used or disseminated.
This workshop/training will also provide an insight on how personal data can be better protected, from a Risk Management perspective i.e: offences- by formulating prevention methodologies and risk mitigation plans.
WORKSHOP OBJECTIVE
After completing this course participants will be able to:
1. Understand the application of the Personal Data Protection Act 2010 and its offenses as a result of non-compliance.
2. To reorganize the practices and process at the respective work areas to support data protection in line with Personal Data Protection Act 2010
3. Increase the data integrity and ensure business continuity without contamination and infringement.
4. Develop principles and mechanism to detect and prevent unauthorized management and dissemination of Personal Data.
5. To develop and execute a Risk Based Compliance Inspection Plan to protect personal data.
METHODOLOGY
Highly Interactive Session, with a bilateral approach to the subject matter allowing participants to share incidences at respective work locations, Case Studies, Video Presentation, Mind Mapping and Recap Sessions, Mini Workshop Session – allowing participants to develop their own process and to support subject matter and work in synergy with other participants.
WORKSHOP OUTLINE
DAY 1
09:00 AM – 10:30 AM
> The Underlying reason for the enactment of Personal Data Protection Act 2010
• Increasing number of the following cases: - Identity Theft, Data Loss, Unauthorized dissemination of data, Fraudulent Activities
> Overview of Personal Data Protection Act 2010
• Regulates processing of personal data
• Only commercial transactions
• Not data processed outside Malaysia
• 7 Principles
• Criminal offences
• No civil remedies
• Other supporting Regulations under PDPA 2010
10:30 AM – 10:45 AM Morning Tea Break
10:45AM – 01:00PM
> Data User
• Definition
• Categories
> Data Subject
• Definition
• Categories
> Personal data
• What is Personal Data and its express and implied definition
• Forms of Personal Data: As long as it identifies a data subject.
• Email – Whether it can be classified as personal data depends on the circumstances of the case.
• IP address - Whether it can be classified as personal data depends on the manner in which it is disclosed.
• Employer and Employee relationship. Data collated as pre-employment checks; Data volunteered just prior to employment; Data obtained during the course of employment.
> Commercial Transaction –
• Any transaction of a commercial nature, whether contractual or not.
• What are the areas of commercial activity that falls under the purview of Commercial > Transaction?
• Contracts
> Sensitive personal data
• Definition and categories
• Circumstances and conditions under which it can be processed or disseminated within the ambits of Personal Data Protection Act 2010
> Processing – What constitutes Processing
• Collecting
• Recording
• Holding
• Storing
• Organizing
• Publishing on the Internet
• Making available
01:00PM – 02:00PM Lunch
02:00PM – 03:30PM
> Classroom Activity & Mind Mapping
- Participant’s perspective and view
> Principles of Data Protection
For data to be processed lawfully in Malaysia, a data user shall comply with the following principles, namely
• General Principle
• Notice and Choice Principle
• Disclosure Principle
• Security Principle
• Retention Principle
• Data Integrity Principle
• Access Principle
03:30 PM – 03:45 PM Afternoon Tea Break
03:45 PM – 05:00 PM
A detailed explanation coupled with examples and case studies of each principle will be shared with participants. The exception to the General Principle will also be discussed.
> In instances of crime prevention, the following principles must be upheld (at least):
• General principle
• Notice & choice principle
• Disclosure principle
• Access principle.
DAY 2
09:00AM – 10:30AM
> Mind Mapping and Recap Of Day 1 Session
> Personal Data Protection Commissioner
• Appointment under the PDPA 2010
• Complaint Channel
• The rights to conduct investigations and audits
• Whether decision of Commissioner appealable
> Registration of Data User
• Registration process
• Approval
• Renewability of registration
10:30 AM – 10:45 AM Morning Tea Break
10:45AM – 01:00PM
> Transfer of Data Overseas
• Who can authorize transfer
• Circumstances under which Data User can effect transfer within the ambits of PDPA 2010
01:00PM – 02:00PM Lunch
02:00PM – 03:30PM
> Video Presentation on Personal Data Protection.
> Rights of data subject
• Right to access personal data
• Right to correct personal data
• Right to withdraw consent
• Right to prevent processing likely to cause damage or distress
• Right to prevent processing for purpose of direct marketing
> What Constitutes an Offence under the Personal Data Protection Act 2010
• Summary of Offences
• Case Study
> Liabilities under the Personal Personal Data Protection Act 2010
• Liabilities within the ambit of the act and its related impact.
> Enforcement mechanism can consist of one or a combination of the followings:
• Data protection commissioner
• Advisory committee
• Appeal tribunal
• Codes of practice
• Enforcement notice
• Prosecution
• Revocation of registration
03:30 PM – 03:45 PM Afternoon tea break
03:45PM – 05:30PM
> Classroom Activity – Participants divided into groups and to present their proposed plan
Eg: - How can an organization develop its own Data Protection Strategies within the ambits of Personal Data Protection Act 2010
> Information Security Policies
- Clean Desk Policy, Enforcement, and Execution, Non-Disclosure requirement.
> Risk Management and Assessment Principles
- With measurable KPIs and trigger factors
> Establish SOPs
> Close Loops Contracts
Wrap Up With Mind Mapping Session