Why Malaysian Companies Should Adopt GDPR Standards

The Malaysian Personal Data Protection Act (PDPA), effective since November 15, 2013, governs the processing of personal data within Malaysia. It applies to all businesses involved in commercial transactions. However, as Malaysian enterprises increasingly expand their operation across international horizons, a pressing question arises: does compliance with the PDPA seamlessly align with the stringent requirements of GDPR (General Data Protection Regulation)?

Indeed, the GDPR is relevant to Malaysian companies if they either provide goods or services to, or monitor the activities of, individuals within the European Union – Article 3 of GDPR[1]. Failure by Malaysian companies to adhere to GDPR standards when collecting or processing personal data of EU citizens may result in the imposition of hefty fines of up to 4% of global annual turnover or €20 million, whichever is greater, for non-compliance[2].

To introduce GDPR briefly, it is a regulation in EU law, since May 25, 2018, on data protection and privacy in the European Union (EU) and the European Economic Area (EEA) which aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business through harmonised regulation within the EU.

While both the PDPA and GDPR share the common goal of safeguarding an individual’s right to their personal data, however, GDPR provides individuals within the European Union with more extensive rights in relation to their personal data. GDPR stands as a more comprehensive and rigorous data protection law compared to the PDPA. It grants individuals greater control over their personal data and places stricter obligations on organisations engaged in personal data processing. Nevertheless, the detailed comparison between PDPA and GDPR merits a separate discussion.

The Golden Standard. GDPR’s inception was driven by the aim of advancing the Digital Single Market[3] strategy, seeking to establish a unified set of regulations in the digital realm while encouraging innovative thinking in areas pivotal to competitiveness and future technological growth. GDPR’s comprehensiveness is geared towards establishing leadership in the global digital economy. By offering enhanced protection, it bolsters fundamental societal rights. GDPR, notably, mandates that individuals must provide explicit consent – Recital 32 of GDPR[4][LPP1]  before data processing is permitted and enables individuals to request for deletion of their data (the right to be forgotten – Article 17 of GDPR[5]), these are provisions which are absent in PDPA [LPP2] and grant individuals greater control over their own data.

One Set of Regulations for Eeveryone. The GDPR is the unified legislation on personal data protection throughout the European countries. It provides similar benefits and rights for all individuals regardless of the company size. This means that Malaysian companies that adopt GDPR standards will only have to comply with one set of regulations, rather than multiple sets of regulations in different countries.

Modern Personal Data Protection Framework. GDPR introduces innovative concepts that are absent in the PDPA, like data portability and streamlined data transfer mechanisms, which are vital components of its modernity, aligning with the borderless nature of the digital age.

Data portability – Article 20 of GDPR[6], a hallmark of GDPR, empowers individuals by allowing them to request their personal data in a machine-readable format. This facilitates easy transfer of their data to another service provider (data controller), ensuring modern data practices align with user-centric principles.

Additionally, GDPR’s approach to international data transfers – Article 44 of GDPR[7] is noteworthy. It offers a range of mechanisms, such as mandates data protection impact assessments[8][LPP3]  ,Standard Contractual Clauses[9] (SCCs) and Binding Corporate Rules[10] (BCRs), to facilitate secure and compliant cross-border data flows (contrast with the default position on transfer under PDPA[11]). [LPP4] The GDPR reflects the modern reality of global data transfer requirements and ensures that individuals’ personal data remains protected regardless of geographical boundaries.

By adopting GDPR standards, Malaysian companies can embed data protection principles into the earliest stages of product development emphasis on “privacy by design and default”.

Stricter Personal Data Legislation. GDPR stands out as notably stricter than PDPA in safeguarding personal data. It enforces significantly higher fines for non-compliance, imposes rapid data breach notification requirements, and sets a higher standard for obtaining and recording consent.

As consumers are increasingly aware of their data privacy rights and are more likely to do business with companies that they trust to protect their data. Adopting GDPR standards not only shows that a company is committed to protecting its customers’ data privacy but a strategic move that positions companies favourably in the global marketplace.

In conclusion, while Malaysian companies are inherently bound by the PDPA, the adoption of GDPR standards, which represent a more comprehensive and rigorous data protection regime, presents an array of advantages, particularly for companies venturing into the European market. However, it is crucial to acknowledge that embracing GDPR standards necessitates meticulous deliberation by companies, as it entails significant shifts in data collection practices and often requires substantial technological investments.

[1] https://gdpr-info.eu/art-3-gdpr/

[2] https://gdpr-info.eu/art-83-gdpr/

[3] https://edps.europa.eu/data-protection/our-work/subjects/digital-single-market_en

[4] https://gdpr-info.eu/recitals/no-32/

[5] https://gdpr-info.eu/art-17-gdpr/

[6] https://gdpr-info.eu/art-20-gdpr/

[7] https://gdpr-info.eu/art-44-gdpr/

[8] https://gdpr-info.eu/art-35-gdpr/

[9] https://gdpr-info.eu/recitals/no-168/

[10] https://gdpr-info.eu/art-47-gdpr/

[11] https://www.azmilaw.com/insights/data-protection-limits-to-the-lawfulness-of-transborder-flow-of-personal-data-outside-malaysia/

Let LPP Law be Your Legal Advisors

Contact Us illustration
Drop us a message and let us better understand your needs. Get your first consultation within 24-hours, absolutely free of charge.

Leave a Comment

Your email address will not be published. Required fields are marked *

Share this article:
Going Public – IPO

Going Public – IPO

There are many ways to raise money to fund a business. Many people would usually start off by using their own money or borrowing from

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.

 © Copyright 2020, Lee & Poh Partnership

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.