PDPA Compliance for Business Cards: Are You Handling Contact Data Correctly?

Understanding the PDPA and Business Cards

Is a business card considered Personal Data? Yes. Under the Malaysian Personal Data Protection Act 2010 (PDPA), information that identifies an individual—such as name, phone number, email address, and job title—constitutes Personal Data. When you collect a business card, you become a "Data User" responsible for the security, processing, and retention of that data.

The Risks of "The Drawer Method"

If you collect business cards at industry events like MOGSEC or OTC Asia and leave them in a physical drawer, you are exposing your business to three primary risks:

1. Security Risk: Physical cards can be lost, stolen, or accessed by unauthorized staff.
2. Retention Risk: Under PDPA, you are not supposed to keep personal data longer than is necessary. A drawer of cards from 2022 is a liability.
3. Lack of Consent: You have no record of how or why the data was collected, which is a key requirement for compliance.

3 Best Practices for Compliant Contact Management

• Digitize and Secure: Move data from physical cards into a secure, encrypted digital environment immediately.
• Maintain Transparency: If you collect cards at a booth, display a brief notice explaining that the information will be used for professional follow-up.
• Enable Data Subject Rights: Using a digital system allows you to easily find, update, or delete a contact if they request to be removed from your database—a fundamental right under the PDPA.

Disclaimer: This content is for informational purposes only and does not constitute legal advice. Please consult with a legal professional regarding your company's specific PDPA compliance obligations.