DO YOU DO BUSINESS IN THE EUROPEAN UNION?
GENERAL DATA PROTECTION REGULATION AND HOW IT WILL AFFECT MALAYSIAN COMPANIES
Contributed by : Khairul Ikhwan bin Shaperi
General Data Protection Regulation or GDPR which will take effect from 25th May 2018 is a new set of European Union (“EU”) data protection framework which will affect companies around the world especially those doing business in European countries.
APPLICABILITY OF GDPR
Any Malaysian company (regardless of whether it has a physical presence in any of the EU states) that stores or processes personal data when doing business within European Union states or those that monitor the behavior of individuals in the EU (whether such storing and processing takes place in the EU or not) must comply with and must ensure that their data protection policy is in line with GDPR. If a Malaysian company operates an online business targeting the European market, that Malaysian company would also be required to comply with the GDPR. The nationality of the data subject is irrelevant.
WHAT IS GDPR
GDPR is intended to standardise privacy regulation across all twenty eight (28) member states of the European Union and establishes a single set of rules which apply to companies doing business within the European Union.
Below are some of the important articles under GDPR that companies in Malaysia need to take note of:
Under GDPR, (i) the right to be informed, (ii) the right of access, (iii) the right to rectification, (iii) the right to be forgotten, (iv) the right to restrict processing, (v) the right to data portability, (vi) the right to object and (vii) the rights in relation to automated decision making and profiling are rights which are similar under the current law in the European Union. However, these rights have been significantly strengthened under GDPR. There are also individual rights which are new. For example, individuals in the European Union now will have the right to data portability in order to have data transferred to a third party service provider in machine readable format. However, this right only arises where personal data is provided and processed on the basis of consent or when necessary to perform a contract.
Consent must be ‘freely given, specific, informed and unambiguous’ and separate from other terms and conditions and also can be withdrawn at any time. The GDPR also contains new provisions for children’s (below sixteen (16) years old) personal data whereby parent’s or guardian’s consent is required before the company can collect the children’s personal data.
Lawful Basis for Processing Personal Data
The lawful basis for processing personal data must be provided in privacy notices and when requested by the affected individual. Businesses should review the types of processing activities they carry out, identify the legal basis for doing so and document this.
Privacy Impact Assessments and Privacy by Design
Privacy impact assessments and privacy by design are now legally required in certain circumstances under GDPR. Privacy impact assessment involves carrying out data protection impact assessments for new technologies and high risk projects while privacy by design involves assessing privacy risk when designing a new product or service rather than as an afterthought.
Appointment of Data Protection Officer (“DPO”)
A DPO is required IF the Malaysian data controller or data processor is a public authority, carries out systematic monitoring of data subjects on a large scale or carries out large scale processing of special categories of data relating to health records, criminal convictions and offences in EU.
The DPO must be involved in all issues which relate to the protection of personal data. The DPO must also inform and advise the company and their employees of their obligations, monitor compliance, provide advice, cooperate with the supervisory authority, and act as the contact point for the supervisory authority of each EU state.
Reporting of Data Breach
In the case of a breach, all companies are obliged to notify the supervisory authority without undue delay and where feasible, within 72 hours after having become aware of it. The company must also notify those concerned directly i.e. the individuals affected by the breach in order to restrict the damage. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
The GDPR has laid down a two-tier fine policy for data breach and also non-compliance with the requirement under GDPR.
Fines of up to €20 million or 4% of worldwide turnover, whichever is greater are imposed for data breaches which are considered to be the most important such as failure to meet the conditions for consent whilst
Fines of €10 million or 2% of turnover whichever is higher are imposed for lower level data breaches such as failure to keep proper written records of processing activities.
GDPR may seem complex and there is no “one size fits all” approach in preparing for GDPR compliance. Affected companies and businesses must examine what exactly is required in order to comply and must implement appropriate technical and organizational measures to be in compliance with GDPR such as staff training, internal audits of processing activities and reviews of human resource policies.
This publication is for general information purposes only. It does not purport to provide comprehensive full legal or other advice. SRL accepts no responsibility for losses that may arise from reliance upon information contained in this publication. Should you require professional advice, please contact our partners. This publication is not intended to solicit clients and it does not in any way create a solicitor-client relationship. The reproduction of the contents of this publication in part or in its entirety other than for private non-commercial use is strictly prohibited.