Financial Crime World

Here is the converted article in Markdown format:

Brunei’s New Data Protection Law: What You Need to Know

======================================================

The Personal Data Protection Ordinance (PDPO) is set to revolutionize data protection in Brunei Darussalam, imposing strict obligations on private sector organizations that collect, use, or disclose personal data. The law applies to all organizations, regardless of their location or formation, as long as they operate within the country.

Key Obligations

The PDPO establishes nine core obligations aimed at ensuring the protection and security of personal data:

  • Accountability: Organizations must appoint a Data Protection Officer (DPO) responsible for compliance with the PDPO.
  • Consent: Organizations must obtain valid consent from individuals before collecting, using, or disclosing their personal data.
  • Purpose Limitation: Personal data can only be collected, used, or disclosed for purposes that are reasonable and appropriate in the circumstances.
  • Notification: Individuals must be notified of the purposes for which their personal data will be collected, used, and/or disclosed.
  • Accuracy: Organizations must make reasonable efforts to ensure the accuracy and completeness of personal data.
  • Protection: Personal data must be protected from unauthorized access, collection, use, disclosure, copying, modification, disposal, or other risks.
  • Retention Limitation: Personal data should be removed or deleted when no longer necessary for the purpose it was collected.
  • Transfers Limitation: Personal data cannot be transferred to a country or territory outside of Brunei Darussalam without ensuring comparable standards of protection.
  • Data Breach Notification: Organizations must notify the Authority for Info-Communications Technology Industry (AITI) within three calendar days of a breach that could result in significant harm to individuals.

Exceptions and Guidance

The PDPO includes exceptions for data intermediaries, such as those with data processor contracts, which may be exempt from certain obligations. The AITI will also provide advisory guidelines and resources to assist organizations in complying with the law.

Enforcement and Compliance

The PDPO is expected to come into effect in mid-2022, with a two-year grace period for organizations and data intermediaries to achieve compliance. The supervisory authority will have enforcement powers, including sanctions and orders, to ensure compliance with the law.

In Part 2 of this series, we will explore data subject rights under the PDPO and the Do Not Call regime. Stay tuned for more insights on the new data protection landscape in Brunei Darussalam.

Author

Theo Stylianou is a Privacy Analyst with [insert publication name]. He can be reached at [insert email address].