In this article, we give you a quick breakdown of some of the essentials in EU’s GDPR and Malaysia’s PDPA regulations, in order to help you understand key differences, and how it may affect your businesses within Malaysia and beyond.
When we talk about Malaysia PDPA vs. GDPR, the objective of both legislations is to protect the data subjects’ rights and their personal data. However, when it comes to GDPR, data subjects are granted more robust rights. Other key differences between the two are as follows:
GDPR vs. Malaysia PDPA – Some Key Differences
Under Malaysia’s PDPA, personal data refers to any information processed in regards to customer-business (commercial) transactions, through which the customer or the data subject is identifiable. The GDPR takes a very similar approach, although it does not have strict rules in place with regards to what classes of information qualify as personal data.
Both regulations focus on the data subjects’ identification potential or ‘identifiability’ in order to determine whether the information provided would qualify as personal data. However, in the case of GDPR, any kind of personal data provided is automatically processed and kept in a filing system. Furthermore, GDPR’s applicable laws are not limited to commercial transactions only.
Right to be forgotten
Under EU’s GDPR, data subjects can exercise their rights to have businesses erase their personal information under specific circumstances – one of them being where they wish to withdraw consent on which the data processing was originally based. Another one is where the business no longer has any legal grounds or justification for processing personal data.
With Malaysia PDPA, there is no equivalent provision. Under section 10, businesses can no longer keep their data subjects’ data for “longer than necessary”. This is in stark contrast with Article 17 of GDPR which states that data subjects can object to the processing of personal data and that the business in question has a maximum of 30 days to respond to such a request.
Right to data portability
Under GDPR, there is a right to data portability, which means that data subjects have a right to receive their personal data upon request in an easy, machine-readable format, which they can transfer to another data controller (without compromising its security or usability), should they choose.
There is no such provision in Malaysian PDPA laws. Even though data subjects do have a right to access personal data, businesses are required to provide the personal data in documentary form as per the Personal Data Protection Regulations of 2014. If data subjects do not find it practical to view their personal data in documentary form, then businesses must provide it in an alternative form, which is both in an understandable format and acceptable to the business.
There is also no explicit right to transfer personal data to another business under PDPA – however, such a right may not be required as data subjects have the option to voluntarily have their data transferred to other businesses.
Privacy by design
Under GDPR laws, data controllers must implement technical and organisational measures in order to uphold data protection principles which include minimal use of personal data on a ‘need to process’ basis only. This needs to be done at the data processing stage and again when the processing method is determined. By default, controllers are only allowed to process personal data for which the purpose has been already established, with all underlying systems handling personal data to be designed with privacy in mind.
The Malaysian PDPA laws do not have any such provision in place and neither do they explicitly state that the systems must be built primarily with privacy in mind.
Data Protection Officers
Data Protection Officers under GDPR regulation are required to have full knowledge of personal data protection laws. Their contact details need to be given to the appropriate data protection supervisory authority, and they must have adequate resources at their disposal to fulfil day-to-day duties and maintain technical knowledge.
Furthermore, DPOs are also required to report to the highest management within their respective organisations and perform their tasks in full confidence. While undertaking all such tasks, DPOs cannot engage in any tasks which result in conflicts of interest.
In case of Malaysia PDPA, DPOs are not explicitly required to have full knowledge of personal data protection laws, even though some knowledge is required in practice, in order to help them perform their jobs diligently. While the Commission recommends every business to register their DPO, there is no legislation around this. Additionally, there is also no legislation around DPOs performing their tasks in full confidence, avoiding conflicts of interest or reporting to the highest management, as is the case with GDPR.
Overall, there are wide-ranging consequences for businesses in terms of both GDPR and Malaysia PDPA. In a world where data privacy and data security have become critically important, businesses must know which laws are applicable while operating with the country or beyond.
Our data privacy experts at VinarcoPDPA are ready to assist you in any way possible, ensuring that you remain compliant and process your data subjects’ personal data as per current GDPR and Malaysia PDPA laws. Email us at firstname.lastname@example.org or call us on +66 (0) 2285 6240