25 May 2018 shall mark a significant chapter in global data privacy regulation history with the coming into force of the General Data Protection Regulation (GDPR).
The GDPR not only applies to certain EU organisations but can also apply to non-EU organisations, regardless of their location in the world. For example, non-EU organisations that provide services to an EU organisation, or organisations that monitor EU based individuals, or target them with goods and services, would be caught.
The GDPR is intended to offer enhanced data protection laws across the EU in today's rapidly changing digital landscape where vast amounts of personal data are being exchanged across international borders daily. In particular, the GDPR affects how data is stored; introduces strict penalties for non-compliance; increases accountability of all data handlers in the chain; increases obligations on obtaining consent from each individual in relation to data use; requires the appointment of a data protection officer for certain organisations; and there are new time-sensitive obligations in respect of notifying the authorities and the affected individuals of certain data breaches.
The core principles that form the basis of the GDPR which organisations must comply with are that the data collected shall be: processed fairly, lawfully and in a transparent manner; used for a specific and legitimate purpose; limited to what is relevant and necessary in relation to the purposes for which it is processed; accurate and kept up to date; retained only for as long as is necessary; and processed in an appropriate manner to maintain its security.
The aim of this bulletin is to help you determine whether the GDPR may apply to your business and how to navigate the GDPR, with some comparative analysis based on our general understanding of the Malaysian Personal Data Protection Act 2010 (PDPA). This article serves only as a general overview of the key areas of the regulation. Should you require further support, we can assist by undertaking a preliminary review to determine the GDPR's applicability to your business, and depending on the outcome we will work with your IT, compliance and / or legal teams to assess what needs to change in order to achieve GDPR compliance. We can also work alongside Malaysian counsel to help you bridge the gaps between GDPR and PDPA.
For further information on the GDPR, please click below to download the attached bulletin or get in touch with your regular contacts at Trowers & Hamlins, who can direct you to the relevant experts.
