Understanding PDPA compliance for e-commerce business in 5 minutes
Personal Data Protection Act 2010 ("PDPA") was enforced in 15 November 2013. Three (3) months grace period (due date: 15 February 2014) are given for all affected parties to comply with PDPA. PDPA regulates any processing of personal data in respect of commercial transaction, including e-commerce. Question: How do the e-commerce players comply with PDPA? In this article, we will share some tips…
Rule No.1 is no one shall use any individual's personal data without consent. For processing personal data, e.g. name, telephone contact, email address, or lifestyle preferences you collected from your customers, you need to obtain their consent, either express or implied.
The typical manner to obtain the customer's consent in e-commerce world is allowing the customer to tick the box "I hereby agree to the use of my personal data…." ("PDPA Clause"). You may sell your products or services in an existing marketplace or via your own e-store. If you are selling via existing marketplace, you shall ensure the terms and conditions set by the marketplace operator consists of such similar PDPA Clause.
Is there any third party you may disclose your customer's or employees' personal data to? Search Engine Optimization (SEO) officer? Marketplace operator? Logistic company? Outsourced database company? If yes, you need to inform your customers on the list of third parties via your PDPA notice and ensure these third parties are equipped with reasonable security features to secure the processing of personal data. Note that if you are disclosing to the third parties outside Malaysia, make sure you state clearly in your PDPA notice!
Under the regulation of PDPA, you need to maintain a security policy in respect of collecting, using, transferring and destroying personal data. There are two (2) aspects you need to consider, i.e. technical and organizational features. As the standards of security is not stated in PDPA or its regulations, it is advisable to consider the security measures required for your company taking into consideration of the nature of personal data, size of database, operation costs, transfer of personal data locally and cross-border, and risk profile of your company. Make sure all your staffs shall comply with the security policy!
You may keep the personal data so long as you are using it for the purpose stated in your PDPA Notice. In other words, you shall remove the personal data from your database and destroy permanently if you are no longer using the personal data.
ACCESS & DATA INTEGRITY
You shall provide access to your customers for them to access their own personal data in your database. You shall ensure all personal data collected in your database is accurate, complete, not misleading and up-to-date.
If you are e-store owner, you may have an online access and correction system or mechanism for them to access and update their own personal data, e,g: an online Personal Data access and correction form for them to fill up and submit to you. Note you shall reply to the access and/or correction request within 21 days from the date of receipt of access and/or correction request.
Lastly, on E-MARKETING…
When you are sending Electronic Direct Mail (eDM) or other marketing and promotional emails to all your customers in one email, you shall ensure the email addresses of other customers are not disclosed, e.g. <undisclosed recipients> and always ensure there is a mean for the customers to opt out from the email thread. Do not send them any more emails after they have unsubscribed from your marketing email threads otherwise you may be liable to a fine of RM200,000 max or jail of 2 years max or both.
Compliance to PDPA may cut down your revenue but in a long run, it boosts the customer's confidence in dealing with you as a reliable merchant. If you have any questions on PDPA, do not hesitate to contact us at firstname.lastname@example.org.
This article is written by Chris Tan, Managing Partner of Chur Associates.
What say you?