General Data Protection Regulation (GDPR) – the EU Data Protection Compliance
The enforcement of European Union’s new data protection law – General Data Protection Regulation (GDPR) is a remarkable change in data privacy law in Europe. Under the sweeping new law, businesses and companies are required to fulfil that obligation, from the collection and process of personal data, the purpose of data collection and retention as well as data protection. The new GDPR has not only changed the data protection landscape in EU, but also has an impact outside of Europe.
What is the General Data Protection Regulation (GDPR)?
Before we dive in to understand what is GDPR-compliant, let us have a look at what exactly is GDPR and why everybody is talking about it.
General Data Protection Regulation (GDPR) imposes a single uniform data protection law in EU that suits the digital age. Unlike PDPA in Malaysia, GDPR is a more stringent data protection law that covers not only EU resident or any data (that is collected and processed) in EU, but also non-EU countries. The extra-territorial nature of GDPR applies to businesses and companies outside the EU – businesses that provide goods and services to EU residents, or collect and analyze data of EU residents, are all required to comply with the new legislation.
How It Affect Us in Malaysia?
EU is the world’s largest trading block where it is the trading partner of many countries across the globe. The GDPR’s extra-territorial nature has imposed a blanket data protection law to any business that do business in EU/collect EU residents’ data, even though they do not have a presence in EU. Simply put, the GDPR has a worldwide data compliance effect.
It is by all means that non-EU companies/organisations have to keep up with the GDPR compliance requirement if they want to do business in EU. Else, the violation of GDPR will lead to a whopping €20 mil (RM101.23 mil) fines or 4% of the global turnover of the company, whichever is higher.
A Quick Guide to Understand GDPR
1. Brief introduction
- GDPR is a European Union (EU) data protection regulation
- Abrogate the 1995 Data Protection Directive
- Stringent data privacy regulation that expands the scope of personal information identifiers
- A uniform data protection legislation across EU
- Customers are in control of their personal data
- Simplified regulatory environment for international business
2. Wider scope of ‘personal data’
GDPR is seen as the new milestone of data protection law in this digital age where it also covers genetic data, profiling information, IP address, and data in cookies.
3. Non-EU impact
The non-EU impact of GDPR means that international businesses that deal with EU companies/have EU customers will fall in this GDPR scope.
4. Data Protection Officer (DPO)
The appointment of a qualified DPO (who reports directly to senior management) is a mandatory requirement under GDPR. The purpose of this clause is to make sure that companies are always GDPR compliant where they are able to keep up with new data protection requirements.
5. Data Protection Impact Assessments (DPIA)
GDPR mandates that all organisations to carry out the DPIA, depending on the privacy risks and impact of the processing operation.
Is your company GDPR-compliant?
The extra-territorial nature of GDPR has created a far-reaching implication for all companies that trade or do business in/outside EU. Here are steps you can take to make sure your company stay GDPR-compliant:
1.Perform a Data Protection Impact Analysis
A properly-done DPIA will help you to perform a X-ray scan of the existing systems and troubleshoot the weak spots to enhance data protection and security in your company.
2. Have a compliance officer
The appointment of Data Protection Officer (DPO) will help your business/company to keep up with the constant changes in data privacy laws as well as to address issues of data protection.
3. Understand and categorize your data
Sort out which of your business’s data will be impacted by GDPR –business contracts, customer data, purchase order history as well as financial data. Besides, perform a due diligence checks on data storage, data process and data leakage preventive measures – to mitigate the risk of data breach and law violation.
What if we don’t comply?
Any breach/violation of the GDPR could result in sky-high fines. However, the fine amount is not the only risk of GDPR violation. The mishandling of personal data will tarnish the company’s reputation in terms of data protection.