GDPR – General Data Protection Regulation
What is GDPR ?
The General Data Protection Regulation (GDPR) is an EU-wide regulation that controls how companies and other organizations handle personal data. The European Data Protection Regulation is applicable as of 25 May 2018, and replaces the Data Protection Directive.
Noncompliance organization will risk substantial fines up to 4% of their organization’s global turnover or up to €20 million, whichever is greater. Companies often underestimate how broadly it reaches and how complex it can be to manage.
General Data Protection Regulation will have a global impact on all companies that process the PID of European citizens. General Data Protection Regulation will impact the way personal data is managed across the globe. The GDPR has impact outside of Europe, especially for companies that have business in the EU or have customers that are EU residents.
Companies could engage the services of Cloud providers that offer GDPR-compliant services as an option, as this would take the pressure off compliance costs.
GDPA effect on Malaysian or Asian based companies.
Companies that deal with EU consumers or employees will have to comply or risk hefty fines. Though you might not be located in EU, there is the potential that your website visitors are EU residents, so automatically becomes relevant. Your organization comes under the purview of the regulation. Option will be to block all EU users from your website, handle them differently, or adopt the new GDPR regulations.
In Malaysia, organisations are pushing data privacy to the top of their agenda, as this is very impactful for Malaysia. The standards will likely provide private sector organisations subject to the Malaysian Personal Data Protection Act 2010 (the PDPA) with guidance on how to comply with data security, retention and integrity obligations.
By complying with GDPR, companies can remain safe from data breaches. GDPR compliance ensures companies readiness towards digital business and IT transformation, while instilling trust and gain loyalty among their clients.
Complying with data regulations is on an understanding where and how data is sourced and used. Companies must ensure the data only used for the purposes specified for which it was collected and processed. Strictly prohibits the disclosure, without the individual’s consent, of personal data for any purpose other than that for which the data disclosed at the time of collection, or a purpose directly related to it; and to any party other than a third party of the class notified to the data user.
Organisations in Malaysia, failing to make the necessary improvements post inspection, could lead to criminal enforcement action under the PDPA.
Data breach notification procedures
Detailed incident response SOPs describing how teams should prepare for breach and how they should operate if a breach does occur.
Providing customers with an ability to specify a dedicated privacy contact whom to notify in the event of a breach.
Notifying customers of a personal data breach within specific time of a breach declared.
Consistent notifying customers with details:
- Description of the nature of the breach
- Timing of the breach and timing of breach awareness
- The approximate number of users affected
- The type of user data breached
- Actions needed to mitigate the breach, either by the controller or by the processor
- Indicate next steps and timelines for subsequent communication from initial notification