By Joseph Cheah
With Malaysia being under lockdown for a little while longer as we cope with the pandemic, many businesses have made the conscious decision to allow their workers to work from home, so long as the nature of work permits. With people spending more time online than ever before, this may expose an unfortunate opportunity for online predators to target potential victims.
Phishing and email scams are some of the deceptive tactics used by hackers to gain access to your company’s data. If hackers were to extract data from your company, they can blackmail you into doing something you don’t want to.
To that end, it is absolutely essential that security protocol and risk mitigations are put in place to address targeted cybercrime against your company. Below are 4 best practices to ensure data protection compliance.
Data Processing Policy : How will you use their data
If you collect personal information from a person, you MUST inform him the following:
- that his data is being processed
- the purpose of collecting his personal data
- his right to request access and correct his personal data
- information on how to contact you
- the information of the third party that you will disclose their personal data to (if any)
- whether it is obligatory or voluntary to supply the personal data
- consequences if he fails to supply the personal data
This notice must be shown to him before you collect his data.
Practice Minimal Data Collection
When collecting personal data, you may want to consider to only collect what you need. Collecting too many personal information may increase the coverage in which you must protect.
Instead of maximizing consent, you may want to minimize collection.
Appointing a Data Protection Officer
Although not required under the law, the Ministry of Communications and Multimedia Malaysia have been considering a mandatory appointment of a data protection officer. The proposed idea is that the officer shall be responsible to oversee data protection strategy and implementation in a company to comply with the provisions of the Personal Data Protection Act 2010.
Even though such appointment may increase a company’s cost, it could very well save a company from suffering heavy damages in the event of a data breach – if no officer is around to ensure that security measures are taken adequately and professionally.
Data Breach Incident Response Plan
It would be useful to have in place a data breach incident response plan in the event of a breach. This plan will be triggered if a breach is detected. The goal of the incident response plan is to mitigate and reduce damages that are caused by the breach. These are the recommended content that should be part of the plan:
- Committee : the plan shall identify the representatives that shall take charge and lead in the event of a data breach.
- Determination of an Incident : a person shall be designated to determine whether an incident has occurred that requires the implementation of this Incident Response Plan.
- Initial Response : The plan shall set out the immediate actions needed to be taken by respective persons, including containing the breach, identify the leak, gather evidence, as well as escalating the same to management level.
- Follow Up / Review : The plan should also then provide steps needed to be taken by the committee to review the breach and ensuring the same will not happen again.