Malaysia Personal Data Protection Act (PDPA) 2010...
Transcript of Malaysia Personal Data Protection Act (PDPA) 2010...
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Malaysia Personal Data Protection Act (PDPA)
2010 Awareness Seminar
Privacy and Protection of Personal Data
25th June 2014
Room 1202, Level 2,
Penang Skills Development Centre,
1, Jalan Sultan Azlan Shah
11909 Bayan Lepas,
Penang.
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
AGENDA
Introduction to Malaysia PDPA 2010
Malaysia PDPA 2010 at a glance
Key Definitions
The 7 Principles of Malaysia PDPA 2010
Impact of Malaysia PDPA 2010 to your organisation
Frequently Asked Questions
Tea Break
Malaysia PDPA 2010 – How Should You Prepare Yourself
Actions Required
PDPA Project Phases
Question & Answer Session
1
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
INTRODUCTION TO MALAYSIA
PDPA 2010
2
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Malaysia PDPA 2010 at a glance…
3
Came into force on 15 November 2013
Department formed, Commission pending
Regulations and Orders issued 4 public consultation papers released
Registration of Data Users within 3 months from 15 November 2013
Three phases of implementation: 1. Awareness 2. Compliance 3. Enforcement
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
The Objectives of Malaysia PDPA 2010
Strengthen overall competitiveness of Malaysian
businesses
Enhance Malaysian
Competitiveness
Avoid disadvantages for
businesses in Malaysia
Protect privacy, right and freedom of
citizens
4
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
What is “Personal Data”?
5
Expression of opinion
Fingerprint, face/iris
recognition
Images
Name, IC No.,
Gender, Race,
Address
Covers both electronic and manually recorded data.
“Consent” is required.
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
What is “Sensitive Personal Data”?
6
Sensitive Personal
Data
Physical and mental health
Political opinions
Religious beliefs
Commission of an offence
Other personal data the Minister
may prescribe
Explicit consent required.
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Key Parties involved in Malaysian PDPA 2010
7
• The body that oversees and enforces the law (i.e. PDPD / Commission)
•A person who processes personal data solely on behalf of data user, and not for his own purposes (e.g. cloud provider, back-end IT processors)
• A person whose personal data is processed by a data user (e.g. customers, employees, third party contractors)
• A person who processes or has control over the processing of personal data (e.g. companies, individuals) Data
User Data
Subject
Regulator Data
Processor
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
The PDPA does not apply to..
8
the Federal and State Governments;
Personal data outside Malaysia (unless the personal data is intended to be further processed in Malaysia);
Non-commercial transactions;
Agencies operating under the Credit Reporting Agencies Act 2010;
Personal data intended for transit through Malaysia; or
Individuals who collect personal data only for the purposes of personal, family, or household affairs, including recreational purposes.
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
We are here because all this happened … just
last year
Massachusetts Mutual The 401(k) retirement plan information of certain clients was
inadvertently exposed when a MassMutual account manager sent an
email on May 8.
Insurance Co. of the
West
Confidential medical records were found under a freeway by a
concerned citizen.
Prudential America An administrative error resulted in documents with sensitive
information from members being emailed to an incorrect party.
Nationwide Mutual
Insurance
1 million individual records compromised by cyber criminals.
State Farm Insurance An dishonest employee was caught misusing customer information to
make fraudulent transactions online.
Massachusetts Mutual Inadvertently sent a report via secure email that included client
information to an incorrect retirement Plan Sponsor.
Ameritas Life Insurance A laptop was stolen or discovered stolen sometime around March 21,
2012. It contained the sensitive health information of 3,000 people.
UnitedHealthcare A dishonest employee used the names, Social Security numbers,
addresses, phone numbers, dates of birth, and Medicare Health
Insurance Claim Numbers to steal the identities of at least 24
customers . 9
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
… and it costs companies
• £70,000 after a report containing sensitive information about a patient was sent to
the wrong person.
• £140,000 for repeated breaches involving the disclosure sensitive personal data
relating to children and their carers to the wrong recipients on five separate
occasions.
• £375,000 after hard drives containing sensitive patient information were stolen and
subsequently sold online.
• £50,000 for a “mix-up” in administration of two accounts which culminated in tens
of thousands of pounds ending up in the wrong account and confusing the account
holders.
• £2,275,000 following the loss of 46,000 insurance policy holders' personal details.
• Over £3m for information security failings (financial institution).
10
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
The 7 data protection principles of Malaysian
PDPA 2010 Principles Description
General Principle • Personal data cannot be processed without the consent of data subject
• Exemptions:
i. For the performance of a contract to which the data subject is a party
ii. At the request of the data subject with a view to entering into a contract
iii. To protect the vital interest of the data subject
Notice and Choice • A data user shall inform the data subject that
i. The personal data of the data subject is being processed and provide a
description of the personal data and purpose of collection
ii. The right of the data subject to request access
Disclosure • No personal data shall, without the consent of the data subject, be disclosed for other
purposes
Security • A data user shall take practical steps to protect personal data from any loss, misuse,
modification, unauthorized or accidental access or disclosure, alteration or destruction
Retention • Personal data processed for any purpose shall not be kept longer than necessary for the
fulfillment of that purpose
Integrity • The data user shall take reasonable steps to ensure that the personal data collected is
accurate, complete, not misleading and kept up-to-date
Access Principle • All data subjects shall be given access to access to their personal data and will be able
to correct that personal data if it is inaccurate, incomplete, misleading or not up-to-date
11
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Data users who are required to register
12
Communication
Banking and Financial
Institution
Insurance
Private Healthcare
Private Education
Tourism and Hospitalities
Transportation (Airlines)
Direct Selling
Services
Housing Developers
Utilities
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
How will PDPA impact your organisation?
• New obligations for organizations that process personal data
• The data lifecycle (personal data) namely from its collection,
processing, dissemination and destruction will need to be
reviewed.
• Organizations which process individual customers’ or
employees’ personal data will need to re-evaluate their current
data privacy policies and processes
• Non-conformance with the principles may result in penalties
ranging from financial to legal liabilities. It is best to act now to
mitigate commercial or reputational risks.
13
Personal data of the following persons:
Customers/
Business partners/
Suppliers
3rd Party Contractors/
Vendors
Employees /
Directors /
Shareholders
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
How will PDPA impact your organisation?
• New obligations for organizations that process personal data
• The data lifecycle (personal data) namely from its collection,
processing, dissemination and destruction will need to be
reviewed.
• Organizations which process individual customers’ or
employees’ personal data will need to re-evaluate their current
data privacy policies and processes
• Non-conformance with the principles may result in penalties
ranging from financial to legal liabilities. It is best to act now to
mitigate commercial or reputational risks.
14
Customers/Partners/Suppliers/Vendors Employees
Purchase Order/Application Forms Job Application Forms
Enquiry Forms CV
Agreements Payroll Records, EPF, SOCSO Records
Warning Letters, Resignation Letters
Directors/Shareholders Other Individuals
Register of Members Contractors, Sub-Contractors
Register of Directors Walk-in Customers
Forms of Annual Return Suppliers, Advertisers
Share Certificates Sales Representatives, agents
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Offenses
• New obligations for organizations that process personal data
• The data lifecycle (personal data) namely from its collection,
processing, dissemination and destruction will need to be
reviewed.
• Organizations which process individual customers’ or
employees’ personal data will need to re-evaluate their current
data privacy policies and processes
• Non-conformance with the principles may result in penalties
ranging from financial to legal liabilities. It is best to act now to
mitigate commercial or reputational risks.
15
Offence Penalty
Non registration RM 500,000 fine and or/ 3 years imprisonment
Unlawful collection, disclosure and sale of personal data
RM 500,000 fine and/or 3 years imprisonment
Breach of any of the seven principles RM 300,000 fine and/or 2 year imprisonment
Failure to comply with enforcement notice
RM 200,000 fine and/or 2 years imprisonment
Transfer personal data to a place which has not been gazetted
RM 200,000 fine and/or 2 years imprisonment
Continue to process personal data after withdrawal of consent by data subject
RM 100,000 fine and/or 1 years imprisonment
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Personal Liability
• New obligations for organizations that process personal data
• The data lifecycle (personal data) namely from its collection,
processing, dissemination and destruction will need to be
reviewed.
• Organizations which process individual customers’ or
employees’ personal data will need to re-evaluate their current
data privacy policies and processes
• Non-conformance with the principles may result in penalties
ranging from financial to legal liabilities. It is best to act now to
mitigate commercial or reputational risks.
16
Officer of the Company
deemed
Jointly and severally liable
unless
Without his knowledge, consent and connivance
and has taken all due diligence to prevent the offence
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Practical points to remember
• New obligations for organizations that process personal data
• The data lifecycle (personal data) namely from its collection,
processing, dissemination and destruction will need to be
reviewed.
• Organizations which process individual customers’ or
employees’ personal data will need to re-evaluate their current
data privacy policies and processes
• Non-conformance with the principles may result in penalties
ranging from financial to legal liabilities. It is best to act now to
mitigate commercial or reputational risks.
17
Always collect data with consent
Do not ask for irrelevant /
unnecessary data
Take Steps to protect security and integrity of
data
Do not keep data
for longer than necessary
Allow Data Subject access to
his data
Notice in Dual Language
*Extracted from Christopher & Lee Ong PDPA Compliance Deck
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
FREQUENTLY ASKED QUESTION’S
18
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Collection, Use & Disclosure
Question: How much personal data can an organisation
collect, use or disclose?
… an organisation may collect, use or disclose personal data only for purposes that a
reasonable person would consider appropriate in the circumstances and that the
organisation has notified to the individual unless an exception under the PDPA applies
… the organisation must obtain the consent of the individual to such collection, use or
disclosure, unless any exception under the PDPA applies
… organisations shall not, as a condition of supplying a product or service, require an
individual to consent to the collection, use or disclosure of personal data beyond what is
reasonable to provide the product or service
Example: request to provide household income for organization selling consumer
products; remember though organization can ask in optional fields
For collection of additional data, the organization shall provide option whether to
consent
19
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Collection, Use & Disclosure
Question: How to handle personal data collected before
effective date of PDPA – Feb 2014?
• Generally that data can be used, for reasonable purposes for which it was
collected but notice will need to be given
• Obtaining consent required if existing data used for new purpose or data
disclosed to other organizations / individuals, unless any exception applies
Example: company uses personal data for after-sales customer support prior to
PDPA – can continue without prior obtaining consent if notice is given. But cannot use
data for direct marketing if not covered in original purpose for collection.
Note: Informal confirmation from PDPD as a pragmatic solution to seeking fresh consent
for existing customers.
20
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Access & Correction
Question: Must an organisation provide access to an
individual's personal data when a request is made?
• Organisations shall allow individuals access to their personal data that is
possessed or controlled by the organisations, and may charge a reasonable fee on a
cost recovery basis.
• Exceptions and prohibitions: - cause immediate or grave harm to the individual’s safety or physical or mental health;
- threaten the safety or physical or mental health of another individual;
- reveal personal data about another individual;
- reveal the identity of another individual who has provided the personal data, and the individual has not consented to
the disclosure of his or her identity; or
- be contrary to national interest
• Other cases when organisations may deny subject access requests and other
exclusions:
• Requested personal data would reveal confidential commercial information that
could harm the competitive position of the organisation
• any examination conducted by an education institution, examination scripts and
examination results prior to their release.
• opinion data kept solely for an evaluative purpose as defined in the PDPA.
21
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Access & Correction
Question: Must an organisation provide correction to an
individual's personal data when a request is made?
• An organisation is generally required to correct an error or omission and send the
corrected personal data to every other organisation to which the personal data was
disclosed by the organisation within a year before the correction, unless the other
organisation does not need the corrected personal data for any legal or business
purpose.
- Example: organisation discloses customer name and address to a delivery company it engaged on a once-off basis
to deliver a product that the customer has purchased. Since the delivery has been completed, the organisation will not
be required to send the corrected personal data to the delivery company.
• The corrected data may be sent only to specific organisations to which the data was
disclosed by the organisation, if the individual consents to it.
• No need for correction where it is satisfied on reasonable grounds that a
correction should not be made. In this case, the organisation shall annotate the
personal data in its possession or under its control with the correction that is requested
but not made.
• An organisation is also not required to alter an opinion, including a professional
or expert opinion.
22
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Care of Personal Data
Question: How long can an organisation retain its
customers' personal data for?
• No prescribed retention period
• But, organisation shall cease to retain personal data as soon as the purpose of
collection is no longer served by the retention; and retention is no longer necessary for
business or legal purposes
Question: What must an organisation do to ensure the
personal data collected is protected?
• Make practical security arrangements to prevent unauthorised access, collection,
use, disclosure, copying, modification, disposal or similar risks
23
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Care of Personal Data
Question: What are the rules on cross-border transfer of
personal data?
• The PDPA will apply to all personal data collected, used or disclosed in Malaysia
• As such, organisations that collect personal data overseas and host and/or process
it in Malaysia will still be subject to relevant obligations under the PDPA from the point
that such personal data is brought into Malaysia
• For organisations that collect personal data here and transfer such data overseas:
‒ Must put in place measures by the organisation here transferring the personal data, to
provide a comparable standard of protection overseas
‒ Measures will be prescribed and are envisioned to include the use of contractual
agreements among the organisations involved in the transfer.
24
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
TIME FOR A BREAK!
25
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
MALAYSIA PDPA 2010 –
HOW SHOULD YOU
PREPARE YOURSELF
26
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Actions required
Appoint Data protection
Officer
Map Out Your Personal
Data Inventory
Implement Data
Protection Processes
27
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
28
Establish
Governance
Framework
Assessment PDPA
Readiness
Define
Policies and
Procedures
Rollout and
Training
Design
governance
structure
Define roles and
responsibilities
Conduct PDPA
Readiness Check
Design scope of
personal data
Inventory of
personal data,
flows and storage
Assess controls
and identify areas
of improvements
Update existing
policies and
procedures to
align to PDPA
Design operating
models and
processes
Develop training
awareness
programmes
Implement
process and
implement data
protection control
PDPA Project Phases
© 2014 Deloitte Enterprise Risk Services Sdn Bhd 29
Establish
Governance
Framework
Assessment Define Policies
and Procedures
Rollout and
Training
Understand PDP
Programme Requirements
Conduct project kick-off
meeting Build PDP organisation
Define project scope and
objective
Plan project activities
Build management and
technology objectives,
required resources,
costs and time estimates
Define PDP governance
structure
Define PDP organisation
and roles and
responsibilities
Establish PDPA Governance
© 2014 Deloitte Enterprise Risk Services Sdn Bhd 30
Establish
Governance
Framework
Assessment Define Policies
and Procedures
Rollout and
Training
Appoint Data Protection
Office
This activity shall
enable the design of
the Personal Data
Protection programme
and roles and
responsibilities.
Through the
establishment of the
PDP organisation,
roles and
responsibilities related
to PDP can be clearly
defined to steer the
subsequent PDP
activities.
PDP Committee Chairman
PDP Committee
Data Protection Officer PDP Contact Window
Education & Training Owner
Individual’s Right Exercise Planner
Personal Data Leakage Owner
PDP Representatives in depts./units
PDP Committee Chairman
Personal Data Manager
PDP Contact Window
Unit 1
Audit
Unit 2 Unit 3 Unit
N
Build PDPA organisation
Establish PDPA Governance
© 2014 Deloitte Enterprise Risk Services Sdn Bhd 31
Establish
Governance
Framework
Define Policies
and Procedures
Rollout and
Training
Define personal data
Collect and identify
information assets and
personal data
Conduct personal data
business process data
flow sessions
Develop personal data
flow diagrams
Assess current status of
personal data protection
within the organisation
against PDPA
obligations
Identify areas for
improvement and
mitigating actions
Assessment
Design scope of personal
data Inventory of personal data,
flows and storage
Conduct PDPA impact
assessment
Conduct PDPA Impact Assessment
© 2014 Deloitte Enterprise Risk Services Sdn Bhd 32
Establish
Governance
Framework
Define Policies
and Procedures
Rollout and
Training
Assessment
Design scope of personal
data Inventory of personal data,
flows and storage
Conduct PDPA impact
assessment
Accounting/
Finance
Customer & Product Servicing, Support,
and Maintenance
Sales
Business Divisions
Customer System/ Operational Activity
Third Parties Product
Development
Other Carriers
Clearing Organization
Conduct PDPA Impact Assessment – Personal Data Flow
© 2014 Deloitte Enterprise Risk Services Sdn Bhd 33
Establish
Governance
Framework
Define Policies
and Procedures
Rollout and
Training Assessment
Design scope of personal
data Inventory of personal data,
flows and storage
Conduct PDPA impact
analysis and risk
assessment
Conduct PDPA Impact Assessment – 7 Principles
General – consent required
Notice and Choice – notify purpose, access & correct
Disclosure – no consent, no disclosure
Security – practical steps to protect
Retention – as long as required only
Data Integrity – accurate, complete and up-to-date
Access – access and right to correct
1
2
3
4
5
6
7
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Key Focus Areas - Human Resources
34
Collection, Use and Disclosure of
Employee Information
Retention & Disposal of
Records
Employment Contracts
Use of Recruitment
Agencies
Recruitment Information
Outsourcing / Temp staff
Human Resources
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Key Focus Areas - Information Technology
35
Data Governance
Data Security
Data Access
Data Storage
Cross Border Data
Transfer
Data Retention &
Archival
Data Destruction
Information Technology
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Key Focus Areas - Sales and Customer Service
36
Consent, Notice &
Disclosure
Marketing Database
Collection of Customer
Data
Marketing Activities
Do Not Call Registry
Tele-marketing
Customer Interaction
Sales and Customer
Service
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Key Focus Areas– Legal & Contracts
37
Customer Forms
Customer Agreements
Vendor Contracts
Outsourcing Contracts
Cross border data transfer
Employment contracts
Legal & Contracts
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Establish
Governance
Framework
Rollout and
Training
Update data security
policies and procedures
Update data handling
policies and procedures
with third parties
Update data accuracy
and integrity policies and
procedures
Update data access
control and review
policies and procedures
Update data change
control policies and
procedures
Define Complaint
Management procedures
Define Enquiry and
Exercise of Rights
procedures
Define Personal Data
Retention & Disposal
procedures
Define public
communications plan
(website updates, etc.)
Define an Incident
Response Programme
Assessment Define Policies
and Procedures
Update existing policies and
procedures to align to
PDPA
Design operating models
and processes
Design Incident Response
Programme
Define Policies & Procedures
38
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Establish
Governance
Framework
Rollout and
Training Assessment
Define Policies
and Procedures
Update existing policies and
procedures to align to
PDPA
Design operating models
and processes
Design Incident Response
Programme
Define Policies & Procedures
39
© 2014 Deloitte Enterprise Risk Services Sdn Bhd 40
Establish
Governance
Framework
Rollout and
Training
Define internal training &
awareness programmes
Assessment Define Policies
and Procedures
Develop training awareness
programmes
Implement process and
implement data protection
control
Implement Incident
Response Programme
Conduct training for
Incident Response
programme
Rollout Incident
Response Programme
Rollout implementation
roadmap (items
classified as
“Immediate” only)
Conduct training and
awareness sessions
Rollout & Training
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
41
Establish
Governance
Framework
Assessment PDPA
Readiness
Define
Policies and
Procedures
Rollout and
Training
Design
governance
structure
Define roles and
responsibilities
Conduct PDPA
Readiness Check
Design scope of
personal data
Inventory of
personal data,
flows and storage
Assess controls
and identify areas
of improvements
Update existing
policies and
procedures to
align to PDPA
Design operating
models and
processes
Develop training
awareness
programmes
Implement
process and
implement data
protection control
PDPA Readiness
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
PDPA Readiness - Test Scenario
Consent, Notifications and Purpose
Scenario
An individual complains to PDPD that <CLIENT> did not obtain consent or inform him the purpose when collecting his personal data at a marketing road show.
PDPD decides to investigate and writes to <CLIENT> requesting evidence for the following:
• <CLIENT> has informed the individual the purpose for collection of personal in question and has obtained his consent
• <CLIENT> has a standard process to clearly inform an individual the purpose(s) for which it collects, uses or discloses personal data and obtain his/her
consent.
Additional Injects
None
Readiness Checklist Observations/Findings Test Result
Expected Response to Scenario
1. Able to readily retrieve documented/recorded evidence of the consent
obtained
• To be added <Pass / Partially Pass
/ Fail / NA>
2. Able to retrieve documented/recorded evidence of the purpose
notification provided to the individual
• To be added <Pass / Partially Pass
/ Fail / NA>
Policy / Procedures in place
3. Able to demonstrate a standard procedure in place to inform
purpose(s) and obtain consent
• To be added <Pass / Partially Pass
/ Fail / NA>
4. Able to demonstrate that employees are trained in applying the
standard procedure to inform purpose(s) and obtain consent when
collecting personal data
• To be added <Pass / Partially Pass
/ Fail / NA>
Impact / Compliance Risk
• Non compliance to Part IV, Division 1, Clause 13
42
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
After this seminar …
43
Phase 3
Implement PDPA
programme
Phase 2
Develop PDPA
policies,
processes and
procedures
Phase 1
Perform PDPA
Impact
Assessment
Immediate
1 - 2 month 1 – 2 months 3 – 6 months
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
QUESTION & ANSWER
SESSION
© 2014 Deloitte Enterprise Risk Services Sdn Bhd
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/my/about for a detailed
description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a
globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service
to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000
professionals, all committed to becoming the standard of excellence.
About Deloitte Southeast Asia
Deloitte Southeast Asia Ltd—a member firm of Deloitte Touche Tohmatsu Limited comprising Deloitte practices operating in Brunei,
Guam, Indonesia, Malaysia, Philippines, Singapore, Thailand and Vietnam—was established to deliver measurable value to the
particular demands of increasingly intra-regional and fast growing companies and enterprises.
Comprising over 250 partners and 6,000 professionals in 23 office locations, the subsidiaries and affiliates of Deloitte Southeast Asia
Ltd combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the
region.
All services are provided through the individual country practices, their subsidiaries and affiliates which are separate and independent
legal entities.
About Deloitte Malaysia
In Malaysia, services are provided by Deloitte Enterprise Risk Services Sdn Bhd and its affiliates.
45