Share:

Print

General Data Protection Regulation (GDPR)

The internet has dominated people from all walks of life with the online culture taking the world by storm. There is indeed an undeniable shift of information into cyberspace with individuals, companies and organisations taking their businesses online in a race to be the most technologically advance.


Alas, issues concerning breaches of data surfaced, with millions of users’ data exposed. Thus, in light of the major privacy breaches, the European Union (“EU”) has adopted the General Data Protection Regulation
[1] (“GDPR”) in order to regulate and strengthen data protection of individuals in the EU.

WHAT IS GDPR? GDPR is a new set of rules designed to give EU citizens more control on their privacy specifically on personal data protection as every person owns their personal data. It was enacted based on the notion of protecting a person’s fundamental right in terms of how their personal data is processed, stored, distributed and used. GDPR was approved and adopted by the EU Parliament in April 2016 and after a two-year transition period, came into force on 28 May 2018. GDPR replaces the Data Protection Directive 95/46/EC.

WHAT DOES GDPR GOVERN? GDPR regulates the processing
[2] by an individual, a company or an organisation (“data collectors”), regardless of their location of personal data[3] relating to individuals in the EU. However this excludes the processing of personal data of deceased persons or of legal entities and data processed by an individual for personal reasons.

APPLICABILITY OF GDPR GDPR only applies to i) a company or entity which processes personal data in the context of activities or establishment in the EU; or ii) a company established outside the EU offering goods or services or monitoring behavior of individuals within the EU.

REQUIREMENTS UNDER GDPR The objective of the EU’s GDPR and Malaysia’s Personal Data Protection Act 2010 (PDPA) is to protect an individual’s right on their personal data. However there is a stark difference in the requirements of the data processing principles.

There are 3 main requirements under the GDPR that elevates its protection’s benchmark in comparison to PDPA. These requirements are: 1) express consent, 2) clear and plain wordings and 3) transparent.


1) Express consent
GDPR requires consent to be freely given, specific, informed and unambiguous. Explicit consent is required only for processing sensitive personal data. This generally means that individuals are given the option to choose via the “opt-in” method. In comparison to the PDPA, it is only sufficient for consent to be “deemed” as made.

2) Clear and plain wording
Data collectors under the GDPR are obliged to explain to an individual why they want to use the data, what they plan to do with it and for how long they intend to keep the data. The GDPR imposes a duty on data collectors to convey such information to the relevant individuals in clear and plain wording. Lengthy clauses and long illegible terms and conditions full of legal jargons will not meet this second requirement. This reinforces the right of an individual to know how their personal data is being managed by the data collectors.

3) Transparent
An individual must be informed prior to their data being collected and kept updated as and when any subsequent changes are made.


OTHER REQUIREMENTS UNDER GDPR
4) Breach notification
In cases of a data breach, it is mandatory under the GDPR for such breach to be reported to the relevant supervisory body within 72 hours, and for individuals whose data was affected to be notified without undue delay upon being aware of such breach.

5) Right to access and rectification
Individuals under the GDPR have a right to obtain confirmation from the data controller on whether their personal data are being processed, for what purpose, to whom, for how long and where. They are also entitled to a copy of the personal data in an electronic format. Individuals also have a right, without undue delay, to rectify their inaccurate personal data. This is the same as the Access Principle under section 12 of the PDPA
[4].

6) Right to data portability
Individuals under the GDPR have the right to move, copy or transfer their personal data to another controller.

7) Obligation on data processor
PDPA puts the responsibility on data user to ensure data processor compliance with the PDPA (usually in Malaysia, this is done via contracts), GDPR however also places an obligation on the data processor directly to abide by the GDPR.


DOES GDPR AFFECT MALAYSIA? There has been a lot of debate and uncertainties on the enforcement of GDPR outside of the EU. However, it must be noted that GDPR still applies to companies established outside of the EU that offers goods or services, or monitors behavior of individuals within the EU. Thus, the relevant companies must take measures to assess on the applicability of the GDPR and ensure that their processes and policies are GDPR-compliant as failure to comply will result in hefty fines of up to EUR20 million or 4% of the organisation’s global turnover.

CONCLUSION GDPR has set a new benchmark for data privacy regulation and information administration in order to meet present digital economy. Perhaps Malaysia and other ASEAN countries could follow suit in harmonising regulations on data protection in order to ensure quality protection on individual’s privacy and to ease compliance and flow between Europe and ASEAN countries.

For further insight in this area of law, please contact our Partner:
Darren Kor Yit Meng
 
[1] (Regulation (EU) 2016/679)
[2] Article 4: Processing covers a wide range of operations performed on personal data, including manual or automated means. This includes, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction of personal data
[3] Article 4: Personal data is any information relating to an identified or identifiable living individual
[4] Right to access and correct the personal data