On 25 May 2018, the General Data Protection Regulation (GDPR) comes into effect in the EU and around the world, regulating how businesses should handle personal data. The regulation will affect businesses of all sizes including those in Malaysia, due to its extra-territorial reach affecting companies here that have business in the EU or have customers that are EU residents.
In Asia, many businesses think that the GDPR will not directly affect them, and are not ready for the regulation. According to EY, only 10% of companies in neighbouring Singapore have a GDPR compliance plan in place, far below the global average of 33%. This figure could be even lower for Malaysia. While the reality is that most companies will not be fully compliant by 25 May, we should still start taking steps in the right direction today. Given the regulatory pressures as well as the need for good data ethics, this agenda will certainly build momentum in this part of the world and affect the ways in which businesses operate here in Malaysia. Malaysia especially has already started enforcing its own local Personal Data Protection law with the official Personal Data Protection Department bringing errant organisations to task. More recently in 2017, companies in the hotel and education sector, as well as an employment agency have been fined up to RM 20,000 for breach of the PDPA.
Even things we do every day without a second thought will be affected by the GDPR. With the regulation’s complexity, organisations need to be more careful about handling data in various contexts. Here are some examples of activities that you should reconsider as these simple tasks may lead to difficult outcomes:
Sending office greeting cards
Businesses that send greeting cards, such as Christmas cards, to customers in Europe should hold their horses. If you do not have express consent to contact each customer, mailing to home addresses – considered personal data – may not be legitimate under the GDPR. E-cards will have to suffice.
Forwarding a candidate’s resume for a second opinion
Candidates’ resumes are considered personal data, and thus protected under the GDPR. Instead of forwarding them as is, anonymise them by removing names, addresses, phone numbers and any other personally identifiable information. This is also becoming a growing trend among businesses as a part of an approach to remove gender and race bias in recruitment.
Ticking the box to join a mailing list
Do registration forms on your website have pre-ticked boxes for customers to receive marketing information? You might want to rethink that. Under the GDPR, silence and inactivity will no longer suffice as consent. Privacy policies should also be revised, because businesses’ requests for consent to use personal information must be intelligible and in clear, plain language.
Aside from day-to-day activities, the GDPR also makes it a business imperative for all organisations to demonstrate compliance with its data processing principles. In some cases, companies may need to formally appoint a Data Protection Officer (DPO) before carrying out any large-scale processing of personal data.
Additionally, data breach management under the GDPR now makes disclosure the top priority. Personal data that is accidentally or unlawfully lost, destroyed, altered or damaged, must be reported to supervisory authorities within three days. All individuals impacted must also be informed if the breach is high risk and likely to lead to financial loss, identity theft or fraud.
The GDPR has long arms and will surely affect businesses in Asia, one way or another. With fines of up to €20 million, or 4% of worldwide annual revenue, it’s easy to feel paralysed by the GDPR’s heavy impact. Rather than fearing the regulation, businesses should take the GDPR as an opportunity to demonstrate a commitment to customers’ data privacy.