What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Individuals and companies who are convicted of violating the personal data protection principles in Malaysia’s Personal Data Protection Act 2010 are liable for fines up to 300,000 ringgit (approximately $73,000 USD in 2019) or a prison term of up to 2 years.
There are a number of fines and penalties that can be levied, depending upon the offense. Noncompliance with codes of practice put out by the Commissioner, can lead to fines of up to 100,000 ringgit and/or a year in prison. Being convicted for refusing to comply with a data correction request or refusing to stop processing data after an individual has withdrawn consent can lead to similar penalties.
In addition, fines and penalties can be levied for other types of offences such as illegal international data transfers. Fines and penalties for unlawfully collecting personal data can go as high as 500,000 ringgit and/or up to 3 years imprisonment.
HR Best Practices: Make sure to follow the personal data protection principles and to limit data collection to what is legally allowed. Employee data should only be processed for one of the approved reasons in the Personal Data Protection Act, and proper consent and notification should be provided before personal data is collected.