It took us a while to work this out. We started developing a suite of products to address PDPA concerns of our clients back in late 2012. Aside from developing with our colleagues in UK and India (who have experience with personal data protection acts of their own for years), we have also engaged discussions with agencies like Cybersecurity. Of course, we have also had legal firms partnering with us over the course of the development, but we wanted our products to be practical and operational, not catered to legal department, but to whichever department that needed to implement these.
Over the past months, we have met with the Personal Data Protection Department to find additional clarity, culminating in a public joint awareness workshop between PKF and PDP Department on the 25th of February 2014.
Over 2013 and early 2014, we have refined these and decided to roll out different packages to cater to different requirements of our clients. PKF, in reality, isn’t the big 4. We don’t have multi billion dollar clients (well, we do, but not many), and in this reality, most of our clients, even the bigger ones are extremely cost conscious. Hence, all our awareness talks including the one we jointly organised with the Personal Data Protection Department, are free of charge.
Hence, I was sitting at a meeting with a customer back in 2013, and she mentioned that I should think of a tiered product: Basic, Intermediate and Advanced when it came to PDPA. As this was a fairly new Act, it would be best to try to get everyone on board at the lowest cost possible.
Hence, starting last week, we’ve launched our PDPA suite of services:
1) Starter Package
This is for customers to “do it themselves”, with the basic document templates required based on the Personal Data Protection Act 2010 and the current subregulations. All that is required is to edit these templates. Implementation guidance is only from the policies, and the organisation will have to implement on their own and the responsibility of providing evidence of implementation of controls is entirely from the organisation. We won’t be verifying or validating any of the controls, as this is only on documentary level. This is a good starter package to immediately address the key PDPA issues from a documentation perspective. This will include any updates of code of practices we will get from time to time from the PDP Department.
2) Checklist Package
This includes everything in Starter, as well as our Checklist, which had been developed and discussed with government agencies. The Checklist, which covers all 7 principles in easy to understand explanations also maps to the current ISMS/PCI/COBIT standards, for the ones more inclined to technical audit. Using the checklist as implementation guidance, we expect most of our customers to be able to address most of the PDPA concerns in this package. Again, we cannot verify or validate the implementation or take any responsibility in the results, but in this instance, the roadmap for PDPA compliance is provided, and organisations to follow the checklist. Offsite support provided.
3) Assessment Package
This includes everything in Checklist, and also onsite gap assessment; scope definitions; implementation advisory, training and follow up assessment.This would be for customers looking for a comprehensive solution to address all of PDPA principles. Using this baseline, this could further launch the organisation into other compliance projects such as ISO27001 etc.
4) Custom package
This typically is for organisations who want us to do the implementation, instead of just assessment and advisory. This could be to locate resources onsite for the period of the project, to do project management; to do technical implementation etc.
The current packages are priced as follows:
We’ve purposedly priced Starter as such so that all our clients will take up at least to do the policies addressing PDPA. That itself is reasonable enough to get started and to have something. Even our assessment package is almost 50% lower than our typical IT Audits, again to hopefully have more clients consider addressing PDPA as opposed to just ignoring it.
We will be publishing the products more formally through the official website, but for now, do contact us at avantedge@pkfmalaysia.com or call +603 6203 1888 for questions or samples of PDPA policies.