If you are unsure of what the General Data Protection Regulations (“GDPR”) are and how they affect you or your business, read on! In this article, we intend to cover the basics of the GDPR that will hopefully give you a better idea of the breadth of its application and also a flavour of what needs to be done for businesses operating in Malaysia receiving personal data from individuals of EU member states.
What is the GDPR?
The GDPR is a framework set to harmonize data protection regulations across the member states in the European Union (“EU”), and possibly beyond (more below). The GDPR tries to strike a balance between ensuring a high level of protection for the privacy of individuals and the free movement of personal data within the EU.
The GDPR replaces the Data Protection Directive 95/46/EC, and contrasted with a directive, EU regulations are binding on EU member states.
When did it come into effect?
The GDPR was approved by the EU Parliament in April 2016 and came into effect on 25 May 2018. This should explain the flurry of emails you may have been receiving in recent weeks informing you about updates to privacy policies in compliance with the GDPR.
How is it enforced?
EU Member States are to draft and pass regulations compliant with the GDPR, and local regulators will be enforcing the GDPR. For example, the UK has recently passed the Data Protection Act 2018 which is compliant with the GDPR, to replace the UK Data Protection Act 1998.
Who does it apply to?
The GDPR applies to organizations that control or process personal data which are located within the EU. The GDPR also applies to organizations located outside of the EU (ie, Malaysia), if they control or process personal data of data subjects residing in the EU. 
Does it apply to Malaysian businesses?
Yes, the GDPR applies if a Malaysian business:
- Offers goods and services to customers or businesses in the EU; or
- Monitor the behaviour data subjects in the EU,
then yes, the GDPR will apply to the Malaysian business as well. 
What constitutes data under the GDPR?
“Personal data” is defined under Article 4 of the GDPR, reproduced in its entirety below:
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
This is to be contrasted with the definition of personal data under the Personal Data Protection Act 2010 of Malaysia (“PDPA”), which defines personal data as
“…any information in respect of commercial transactions…that relates directly or indirectly to a data subject, who is identified or identifiable from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject”
While both legislations are wide enough to capture ‘identifiable’ data that relates directly or indirectly to a data subject, the GDPR provides a more specific examples such as location data and online identifiers. This could include even an IP address or a cookie identifier, or other factors.
Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data as it ‘relates to’ the individual.
What if my business falls within the aforementioned categories, and I don’t comply with the GDPR?
You could be slapped with hefty fines of up to 20,000,000 Euros or 4% of your business’ total worldwide turnover, whichever is higher.
How different is it from the PDPA?
There more robust rights granted to data subjects under the GDPR. Among others, there is the Right to Erasure or Right to be Forgotten. Here are just a few examples of the various differences:
Section 10 of the Malaysian PDPA merely provides that personal data of data subjects shall not be kept for ‘longer than is necessary’. In contrast, Article 17 of the GDPR grants data subjects the right to actively object to the processing of personal data and imposes a 1 month time limit to respond to such a request.
Article 22 of the GDPR provides data subjects the right not to be subject to decisions made through automated processing, which will significantly affect the data subject. Such rights are not provided for under the PDPA.
The GDPR also provides a right to ‘data portability’ which allows individuals to obtain their personal data in a machine readable format, and to request for the move, copy or transfer of personal data easily from one controller to another in a safe and secure way, without affecting its usability. This is to be contrasted with the PDPA, which only provides for the right to request from a data user the personal data processed by the data user in an intelligible form.
How do I prepare for compliance under the GDPR?
First, determine if you are (or have previously done so) collecting, storing or processing personal data of residents in the EU.
If the answer is “yes”, a review all existing data flows and processes will need to be done, and compared against the standards in the GDPR.
The GDPR has wide-ranging consequences for Malaysian businesses, particularly ones that serve customers or deal with individual data from all over the world.
The introduction of the GDPR presents an opportunity for Malaysian businesses to put in place a higher standard of protection and procedure to future-proof their business processes from changes in the local personal data protection regulatory regime, given the global and seemingly borderless nature of the businesses these days.
This article was written by Shawn Ho (Partner) & Ian Liew (Associate) from the corporate practice group of Donovan & Ho. Feel free to contact us if you have any queries.