THIS Friday, the European Union (EU) will introduce some of the toughest online privacy rules in the world when its new data protection regime in the form of the General Data Protection Regulation (GDPR) becomes law.
Its implications are far reaching affecting any individual, company or organisation that markets to or processes the information of EU data subjects, which include end users, customers and employees.
If your organisation markets to or processes the information of EU citizens, GDPR applies to you, whether or not you’re based in the EU. A Malaysian bank such as CIMB, Maybank or AmInvestment Bank, or company such as Petronas, with a subsidiary or joint venture in the EU or dealing with EU citizens would have to comply with the new provisions.
GDPR will dramatically change how organisations handle personal information and is expected to significantly impact operations of EU-based and non-EU companies alike. It will inevitably have a knock-on effect on other countries and companies doing business with the EU or their citizens. Another positive aspect of GDPR could be its potential to drive similar data protection laws in other countries, perhaps leading to global uniformity.
The changes are aimed at giving EU Internet users more control over what data is collected and shared about them, and they punish companies that don't comply. Global household Internet and social media giants such as Facebook, Twitter, Instagram, Google; financial services and any other corporations; and government departments face potential fines of up to 20 million euros (RM94 million) or up to 4.0 per cent of total worldwide annual turnover/revenue for the preceding financial year, whichever is higher, in the case of non-compliance.
GDPR, which replaces the minimum standards of the current EU Data Protection Directive, demands data protection accountability, data subjects’ consent, right to access, rectification, erasure and portability, and data breach notification.
In an ever-evolving digital world and economy, information is an invaluable asset, and personal data a boon for marketing, lobbying, influencing and profiling segments in society and business. This gives immense power to social networks, social media and any company or individual that uses the Internet for whatever purpose, in using your data whether as a customer, subscriber, investor or even shareholder.
In the past, the use of the data was couched in small print on privacy and terms and conditions, usually vague, inaccessible and difficult to comprehend, which led to sometimes wholesale abuse of personal data, some bordering on fraud, criminality and political shenanigans.
In the aftermath of the recent Facebook and Cambridge Analytica data capture-and-sharing scandal in which the latter was accused of improperly obtaining information on users and allegedly using it for political campaigning, and a spate of personal data breaches over the last few years relating to confidential data on bank accounts, medical records and so on, GDPR is a blessing, which if handled creatively could unleash an information transformational change for individuals, corporations and governments alike.
GDPR, which ironically comes into effect exactly a week after Cambridge Analytica filed for bankruptcy in a New York court, for individuals could turn out to be an empowering enabler to recapture control of their personal data on the Internet; and for business, according to IBM, a game-changing “differentiator enabling transformational opportunities”.
But, will the data of Europeans be more protected than that of Americans or for that matter Malaysians? GDPR is not only about compliance; it is, according to IBM, potentially also about how it can meaningfully change organisations by improving security and privacy, creating more engaged customers and driving better data strategies. As such it is also about whether organisations can turn a compliance challenge into broader transformation.
For economies such as Malay-sia, which is knocking on the door for high-income nation status and which has been pushing a digital economy agenda through its Malaysia Digital Policy, adopting a similar GDPR regime as the EU’s becomes a necessity. Malaysia is the first country in the world outside China to establish a Digital Free Trade Zone (DFTZ), with the aim of providing physical and virtual zones to facilitate SMEs to capitalise on the growth in the Internet economy and in cross-border e-commerce, which generated revenues of US$2.3 billion (RM9 billion) in 2017.
The Pakatan Harapan government headed by Prime Minister Tun Dr Mahathir Mohamad has not had time to articulate its digital economy policy and is bound to continue with the MDP and DFTZ, whose aim is to help transform Malaysia into a regional e-commerce hub. The MDP itself has a target of contributing 20 per cent of GDP by 2020.
Bank Negara Malaysia (BNM) and Securities Commission Malaysia (SC) have been leading digital innovation in the banking sector and capital market. The SC last year launched its Digital Investment Management framework, paving the way for automated discretionary portfolio management services in Malaysia.
Similarly, the SC and BNM recently also established the Brokerage Industry Digitisation Group, a joint working group between the regulators and industry to accelerate digitisation of the stockbroking industry.
All these initiatives have data protection implications. Amid a growing global conversation about security, privacy, choice and control regarding data, both the threats and responsibilities are greater, as are the potential effects on the economy, business and society.
The writer is an independent London-based economist and writer