GDPR: A problem you may not know about
By Dzof Azmi March 13, 2018
- Those dealing with EU companies and targeting the EU market are affected
- Becoming commonplace for EU companies to include standard clauses related to GDPR
IS YOUR company affected by GDPR? Is it ready for it? Do you know even know what GDPR is?
It is not clear exactly how many Malaysian companies are in the dark about how the European Union's (EU) General Data Protection Resolution (GDPR) affects them. This is the opinion of Kherk Ying Chew (pic, right), partner and the head of the IP and Disputes resolution practice at Wong & Partners (a member firm of Baker Mckenzie International).
However, she said that an estimate of 70% "wouldn't be far" from the correct number.
This is in line with a survey by EY earlier this year that showed only 12% of companies in the Asia Pacific region have a plan in place to comply with the GDPR, and that only 33% of respondents worldwide say the same.
This is worrying, given the potentially high financial penalties for non-compliance, and the date of enforcement that is looming close, May 25, 2018.
What is the GDPR
The GDPR is an updated version of the European Data Protection Directive implemented in the EU in 1995. At that time, only 1% of the European population was using the Internet.
"The fact that is been 20 years since they have looked at the protection of data privacy," pointed out Kheng. "This has been a bit overdue."
"The GDPR a relook and revamp and an upgrade of their data privacy laws," said Kheng. "It has a big impact because it now standardises all the laws across Europe."
The GDPR goes into more detail about what the scope of personal data means. "They've made it clear that web data, such as IP addresses, cookie data, location, RFID tag, including genetic data, biometric data, racial, all these are covered as personal data."
How the GDPR affects countries outside Europe
It may seem strange, but an European legislation designed to protect the personal data of European citizens can have an impact on how Malaysian companies do businesses.
"Those who are really dealing with European companies and targeting the European market, you really have no choice," she says. "Those are the ones that will be affected."
The first example of where GDPR applies is if you're targeting goods and services to European citizens. A second is if you're targeting, analysing and monitoring European citizens. It doesn't matter where the website is hosted, Kheng explains "It has that long arm reach".
What does "targeting" mean? "(If) you put the currency in Euros, you make it easy for European citizens to buy your product, you will have a delivery in in Europe, for example – then it will be clear that you're targeting them."
Stronger laws to protect personal data
There are a number of provisions in it that may be novel for service providers in Malaysia.
For example, the issue of consent. "In Malaysia we used to do 'deemed consent'," explained Kheng, "If they tell you 'hey, I'm processing data' and if you don't come back to them, then they assume that you're ok with it."
With the GDPR, consent needs to be explicitly given by a statement or a positive act. "You need the person to tick (a box for consent). You can't pre-tick for the person."
Another example is the right to be forgotten, where a user can tell a company to delete all their personal information from their databases.
Another example, bearing in mind the recent disclosure that 46 million Malaysian phone number records had been leaked years ago, is that companies have to report certain types of personal data breaches within 72 hours of becoming aware of the breach,
Companies in Europe do and will worry about this, and it will affect agreements with parties outside Europe. "Malaysian companies when they deal with European companies now, may be asked in the contract to ensure compliance for example."
Kheng said that it is becoming commonplace for European companies to include standard clauses related to GDPR. "If you actually did not comply, then you'll be in breach of the contract."
Kheng also explained that in such cases, if the company in Europe was caught and fined for non-compliance, then they in turn might sue the local entity. "There would be a flow as to the damage," she said.
And the possible damages could be very substantial: "They have actually imposed penalties which are really out of your normal," said Kheng, explaining that certain administrative fines may go as high as 20 million euros (RM96 million) or 4% of turnover (not profit), whichever is the higher.
As a result, companies are taking this seriously. "It hits right down to a company's core," said Kheng.
The GDPR is there to protect consumers
Nevertheless, Kheng feels that the law should be taken as a positive and that companies should do their best to protect privacy. "They want that concept to be a seeped into the culture of the company," explained Kheng, referring to the concept of "privacy by design". "When you design any processes, you want to really think about you know protection or data privacy any processes in your company."
"I think for users, absolutely, I think this is great," she said, agreeing with many who have called the GDPR a "gold standard" for data privacy legislation. "This is the only legislation that allows you to decide, I don't want you to look into my personal data."
How much at risk you are of getting prosecuted depends on whether your non-compliance is reported. "If nobody complains, the risk will be low that it will be enforced against you," said Kheng. "I suppose for Malaysian entities you will not be the target of compliance immediately, hopefully."
Nevertheless, companies would do well to prepare for GDPR, starting with whether they even fall under the ambit. Kheng's advice for SMEs was to "check to see if it applies to you, and if you don't need to target (Europe), then don't."
If you do need to comply, then most companies would need to get consultants to help them decide what kinds of policies and software is needed to bring them up to par. "There will be a cost," warned Kheng,
According to a recent PwC survey, 68% of US-based companies expect to spend US$1 million (RM3.9 million) to US$10 million to meet GDPR requirements. Another 9% expect to spend more than US$10 million.
Another factor to consider is how long it will take to become compliant, given the deadline of May 25. "Six months would be one that is comprehensive," opined Kheng. "If you really had to rush, it would be three months."