Personal Data Protection Act 2010 – A Risk Management Perspective

Course Description

The Personal Data Protection Act (PDPA) establishes a new general data protection law in Malaysia which governs the collection, use and disclosure of individuals’ personal data by organizations.

The Personal Data Protection Department (PDPD) is established under the PDPA with the key functions, amongst others, of promoting awareness of data protection in Malaysia and administering and enforcing the PDPA.

The course will give course participants a good overview and understanding of the PDPA and how it may be applied to the organizations for compliance and the necessary preventive measures to be adopted / implemented towards risk of personal data loss.

Course Objective

After completing this course participants will be able to:

  • Understand the application of the Personal Data Protection Act 2010 and its related offences as a result of non-compliance in the hospitality industry.
  • To reorganize the practices and process at the respective work areas to support data protection in line with Personal Data Protection Act 2010
  • Increase the data integrity and ensure business continuity without contamination and infringement.
  • Develop principles and mechanism to detect and prevent unauthorized management and dissemination of Personal Data.


Training Methodology will be based on the following

Think differently to alter direction.

The experience of learning to read and write for the first time is likely to remain vivid in your memory. The skill is ingrained and it stays.  The primary objective of our training and workshop is to make your new knowledge and abilities as durable as the ones you've already accumulated.  They foster fresh ideas. They enable great feats. Individual behaviour and attitude contribute to your organization's success is what we prioritise.

Combining experiential, instructional, and discovery learning with current coaching technology promotes profound transformations in attitudes and behaviour that enable sustainable change in your business. These adjustments improve results.

Our programmes involve with 12 unique learning methodology as below:


Module 1: Organizational Compliance Framework

  • Legal
  • Standards
  • Best Practices
To Manage
  • People
    • Internal
    • External
  • Property
    • Tangible
    • Intangible
Module 2: Overview of Personal Data Protection Act 2010
  • Regulates processing of personal data
  • Only commercial transactions – How does the hospitality industry fall within this ambit.
  • Not Federal and State Government
  • Not data processed outside Malaysia
  • 7 Principles
  • Criminal offences
  • No civil remedies
  • Other supporting Regulations under PDPA 2010
Module 3: Data Protection At the Workplace
In relation to the hospitality industry, how do the General Principles on Personal Data Protection Act 2010 apply This module will look at how to:
  • Appreciate who and what is covered by Personal Data Protection rules
  • Understand the organization’s policy and aims on personal data use
  • Overview of the Act
  • Know and apply the core principles for personal data use
Module 4: Criminal Offences and Liabilities under the PDPA 2010
  • Punishment for contravention of the Act
  • Offences by body corporate
  • Contravention of the personal data protection principles
  • Processing of sensitive personal data in contravention to Section 40
  • Unlawful collection or disclosure of personal data
Module 5: Notice and Choice Principle
  • When do you need to seek the consent of data subjects?
  • How do you seek consent and exemptions to consent
  • Channels of serving Notice to employees, contractors, supplies, vendors and visitors
  • Guidelines on Consent
  • Recognise when, and for what purpose staff / customer data may be used
  • Questions to ask when collecting Data at the Front Desk / Reception during check in.
  • Filling up survey forms such as Guest Satisfaction Survey – what to procure in terms of personal details.
Module 6: Compliance: The What, When and How
  • What do companies need to do in order to comply?
  • When do companies need to fully comply?
  • The Employer’s Perspective: Change of Approach Required?
  • The series of changes intended to be brought about by the Act will invariably affect the way employers approach employment issues where the employees’ personal information is involved.
  • Understanding applications to Employment Relationships
  • Understanding how the Employment Act 1955 affects Personal Data
  • How do companies set up an effective compliance framework?
  • Guidelines on understanding Purpose under Section 6 PDPA 2010 and the Innkeepers Act 1952 that governs hoteliers and its guests.
Module 7: Issues and Implications of the Principles
  • Disclosure Principle and guidelines on when you can refuse to disclose or partially disclose;
  • Retention Principle in relation to Employees and former employees;
  • Data Integrity Principle
  • Access Principle
  • Activities relating to each Principle will be done.
Module 8: Benefit and Risks
  • Benefits and challenges in being PDPA complaint
  • Understanding the implementation of PDPA and the stages of Employment that is Pre/Beginning/During and End of Employment.
  • Potential privacy related risks to organizations
  • Case study on personal data issues and impacts
Module 9: The Personal Data Protection Standards 2015
  • The Data Security Standard distinguishes between conventional and electronic data management and prescribes various security measures in relation to each.
  • Data Retention Standard focuses
  • Data Storage Standards
  • Data Integrity Standard
  • Data Security Standard
Module 10: Human Resource Department and PDPA principles

For Human Resources departments, meeting the requirements of data protection law can be particularly challenging. Holding and handling staff information carries significant legal responsibilities and risks.

This module discusses key areas of compliance issues.

  • Ensuring that the recruitment and selection process meets legal requirements, including the content of application forms, pre-employment vetting, criminal records, medical checks and the interview process
  • Retaining staff records, and appropriate periods of time for keeping information
  • Dealing with staff information requests – what must be disclosed and can be withheld
  • Disclosing staff information to outside third parties –the legal requirements that must be met before staff information can be sent outside the organization
  • References and the rights of ex-members of staff
  • Monitoring staff activities and communication including using Managers, CCTV cameras and website technologies
  • Outsourcing functions to third party providers
Module 11: Security Guidance

This module looks at what constitutes a Personal data security breach and how such breaches can occur. It also considers how to avoid breaches, and the practical steps that should be taken when a breach occurs.

Key aspects of this module include:

  • Analysis of the Security Principle under Section 9 PDPA
  • Managing Information security
  • Data Security Standard -Implementation
  • Understanding risks to Personal Information
  • Taking a holistic approach to data security – staff vetting and access and other important organizational measures that should be implemented
  • Knowing what to do in the event of a data protection breach
Module 12: Personal Data Risk Identification and Analysis
  • Perception and treatment of risks
  • Attitudes / reaction towards risks.
  • Identifying risk – Identification practice and techniques
  • Identifying tools
  • Risk Analysis of Potential Frequency and Gravity (severity) of losses.
  • Selection & Implementation of the most appropriate Risk Management
  • Technique
  • Monitoring and reviewing suitability of management technique
Module 13: Compliance Inspection and Audit Methodology
  • Identify current practice / process
  • Ascertain and analyze as to whether it is the right practice / process – in line with established laws, regulations and standards that supports business needs
  • Ascertained whether it’s a mere practice or a process – Whether there is a process orientation
  • Whether the process has been defined and documented
  • Whether the set process is sufficient to manage the risk to personal data protection in line with PDPA 2010 – Gap Analysis using SWOT Analysis Methodology as a tool
  • Process review based on Gap Analysis.
  • Process re-engineering / redefinition

Related Courses