26
Personal Data Protection Act View, Inspiration, Opportunity Prepared Ahmad Fairuz Ali 25 October 2012
PowerPoint Presentation
Personal Data Protection Act View, Inspiration, Opportunity PreparedAhmad Fairuz Ali25 October 2012About meAhmad Fairuz AliSenior Internal Auditor (Group Internal Audit) Telekom Malaysia.Graduated in Bachelor of Information Technology(Major in Software Engineering) , Multimedia University, Cyberjaya.11 years experience in telecommunication.(DiGi, Celcom and TM).Specializing in Revenue Assurance, Risk Based auditing and IT management.Lead Revenue Assurance open source project.(only 2 projects around the world)http://www.linkedin.com/in/ahmadfairuzaliThis document coversImpact to Telecommunication industry.Consultancy work. Role of Internal Audit. Role of ISO Auditor.Development of PDP department. Impact to Telecommunication industry.
Impact to Telecommunication industry.
Telecom Business Process Framework: Which area impacted by PDPA?
Telecom Business Process Framework (FrameWorx)http://www.tmforum.org/TMForumFrameworx/1911/Home.htmlTelecommunication DynamicsmMessaging (SMS and MMS). High speed broadband (FTTP).Convergence billing ( prepaid and postpaid). IPTV. (HyppTV) and Satellite TV. (Astro). Mobile Content (mobile video,mobile music,wireless games, mobile advertising). E-commerce.M-commerce.Cloud Computing. (SaaS).Machine to Machine. (M2M). Web 2.0 and Telco 2.0.Operational impactTelcos has to make changes to their current billing system and CRM to allow data subject give consent before data user processed personal data. Telco has to provide greater security facilities covering data center, backups and recovery to protect the personal data from any loss. Call center should allow the user to access his/her personal data and given the access to correct the personal data. Applicable to online customer service too. Billing system and CRM has to be reviewed to allow personal data shall not be kept longer that is necessary.Telcos portal shall ask the users consent for cookies tracking. Telcos has to review policies and procedures related to suppliers/vendors access to the billing or CRM information. Consultancy work.
Consultancy work.
Area to focusAdvisory to client on compliance of the PDP.Review client policies, procedures, SOP and FA. Advisory of setting up PDP department.
Role of Internal Audit.
Role of Internal Audit.
Guide to Data Protection AuditIt is more effective carrying out scheduled Internal Audits on data protection eco system that have been formally documented and are fully operational.The data protection eco system will in theory meet the requirements of the PDPA 2010 because it should have been designed specifically with this objective.
Type of AuditAdequacy Auditto check that any documented Policies, Codes of Practice, Guidelines and Procedures meet the requirements of PDPA 2010.Type of Compliance AuditFunctional or Vertical audit. (Strategy,Infrastructure,Product,Operation, Network,Fulfillment, Assurance,Billing, Finance).Process or Horizontal audit. (Markerting & Offer Management,Service Development & Management,Supply Chain Development,CRM,Service Management&Operations,Supplier/Vendor Management)Audit OutcomesEffectiveMostly EffectivePartial EffectiveIneffective
Most importantly, in consultancy work, the auditor should provide recommendation to the client on best practices in implementing PDPA and explore further business opportunity growth. Audit Risk Assessment (Example)What is the likelihood of a breach of the PDPA occurring in this area?Does the staff are competent to understand and perform the policies and procedures related to data protection?Does the management continuous monitor the effectiveness of policies and procedures?
How does Internal Audit involve in PDPA?During the 1st development of PDP function in the company.Periodic basis after the complete installation of PDP function to ensure the effectiveness of the control. Self assessment. E.g. checklist. Adequacy audit checklist.Compliance audit checklist on organizational and management issues.Compliance audit checklist on 8 Data protection principles, using data processors, consent and transaction.
Role of ISO Auditor
Role of ISO Auditor
Why ISO auditor needs to be involved in PDPA ?Company which require ISO, will eventually need to comply with the PDPA. ISO development in PDPA is still new; hence no body can sure the ISO function related to PDPA. How does ISO Auditor involved in PDPA?Development ISO PDPA framework. Submit the ISO PDPA for review and get international recognition.
Development of PDP department
Development of PDP department.
Role of Data Protection OfficerData protection officer(DPO) has to ensure the company compliances, data governance policies and procedures according to the PDPA 2010. DPO report directly to the board of director.DPO are responsible to notify data protection commissioner of data breaches after discovering a breach, or to explain to authorities why it is not possible to provide full details of the breach.Ensure implementation of good data protection governance measures.
Proposed position of PDO at early stage (awareness)Proposed position of PDO (Wide coverage)Cloud computingRisk relevant to PDPAPotential Risks in Cloud relevant to PDPASecurity risks (mobility, co-exist, interoperability). Data leakages (transfer from cloud to cloud, physical data).General (expose of sensitive personal data)Access (violation of access). ENDEnd of document
