Information privacy as a CSR initiative


The imminent enforcement of the Personal Data Protection Act will thrust privacy into the public eye. Vimal L. Kumar suggests companies look at the Act from a different perspective.

The right to privacy is one of the often-forgotten Human Rights which business must respect and promote, and is rarely discussed in the context of CSR strategy. In many Asian markets, data protection is weak or non-existent – but this is about to change, starting with Malaysia.

With the of the imminent enforcement of the Personal Data Protection Act (PDPA), issues surrounding Privacy and Data Protection are soon going to be very much in the Malaysian public’s eye. This Act which regulates the processing of personal data in commercial transactions was finally passed in Parliament in 2010, after being considered since 1999.  Upon the introduction of this legislation, Malaysians will have substantially increased legal protection over the data collected about them, controls they have over this data collection and the subsequent use of the data, in other words Information Privacy.

The PDPA was gazetted into law in June 2010 and was scheduled to be in force by June 2012 to allow time for the Information, Communications and Culture Ministry to set up a new Personal Data Protection Department, train staff, and select a commissioner to oversee the PDPA’s enforcement. However, the June deadline for enforcement was postponed due to the need to finalize the regulations and rules related to the PDPA’s enforcement, such as the registration process companies will need to undergo.

Data protection and privacy is not a new concept, with many other countries, for example the Scandinavian countries, Australia, Canada and Hong Kong having implemented this many years ago and have rather mature models.

It is insufficient to rely merely on legislation to ensure that companies take the necessary steps to ensure their customer and employee privacy , as despite significant legislation and punitive measures in Europe for example, data violations continue to occur in a number of large organisations.

Some companies in Malaysia and abroad have taken an early lead, and introduced the role of ‘Chief Privacy Officer’, whose functions include gathering information about social and legal aspects of privacy, devising a privacy strategy, providing information about corporate data handling practices to internal and external stakeholders, and representing the company’s commitment to privacy.

Others have privacy policies posted on corporate communication channels to educate users on the company’s data handling practices and understand their consequences and then make informed decisions on the use of their personal data. In reality though these policies are often written in “unfriendly” language and are so lengthy and detailed that they are really of little practical use.

For data protection to be taken seriously and to really address the issues of privacy, companies should accept and address information privacy for reasons driven by the company’s concern about relationships they have with their stakeholders as well as their own (self) interests.

It is a balancing act as it is in the companies interests to collect as much data that they can about each transaction or encounter with their customers and business partners, so that they can convert this into information and eventually have very comprehensive user profiles which they can then use to data mine and offer to provide additional services, which in turn will translate into alternative revenue streams for the company.

On the other hand the company’s more astute and aware stakeholders will have concerns about their data protection and will be looking to restrict access or collection to data that they deem unnecessary to divulge for fear of data abuse and privacy concerns.

The companies that manage to earn the trust of their stakeholders through responsible practices in terms of data management and demonstrate the organisations’ DNA embraces privacy in a practical manner will be able to secure a competitive data advantage, as they will not be subjected to obstructions and objections, in terms of not being allowed to collect “extraneous” data from their stakeholders for the purposes of building user profiles.

Another advantage of this is to be able to pre-empt and even avoid the costly measures that may be imposed upon the company by government regulators.

Malaysian companies, especially those that deal with masses of data – for example IT based companies and banks, are no doubt getting themselves ready to address the various operational aspects of ensuring their business processes, systems and people are trained and ready from a legal point of view. However they should not lose sight of the fact that there is potential benefit from integrating this responsibility over data collection and handling into their overall strategies and embracing privacy as a CSR thrust, especially if they make this commitment transparent to external and internal stakeholders.

 By Vimal L Kumar


Vimal L Kumar is an executive with CSR Asia

Image courtesy of Flickr User GillmanInsurance

Leave a Comment