One feature of the GDPR is its application to data users who are not situated in the EU. Even though the GDPR is a regulation in the EU, non-EU organisations are subject to it if the organisation either:
processes the personal data in the context of activities of an establishment in the EU; or
processes the personal data of individuals in the EU or targets to monitor activities of individuals in the EU where such processing activities of personal data of such organisation is related to:
the offering of goods and services to individuals in the EU (whether consideration is involved or not); and
the monitoring of behaviour of individuals in the EU, in so far as their behaviour takes place in the EU
Has the EU, since the introduction of the GDPR in May 2018, investigated and fined any non-EU organisations for non compliance?
In so far as we are aware, no fines have been issued yet. And we believe it is highly unlikely that fines will be issued against non-EU entities unless the country outside the EU signed a reciprocal agreement with EU like what Japan did with the EU. The agreement is EU and Japan recognise each other's data protection systems as adequate, allowing personal data to be transferred safely between the EU and Japan.
Even if Malaysian businesses are not "offering goods or services" or "monitoring behaviour" of data subjects in the EU, businesses acting as data processors to their European counterparts should similarly take note of the GDPR. This is because their European counterparts are required to impose such obligations under the GDPR on data processors with whom they have arrangements for data processing activities.
Malaysian businesses should not be so quick to discount compliance with the GDPR. Steps should be taken to assess whether the GDPR would be applicable to their business and processes and policies that are compliant with the GDPR should be implemented.
With the intention by our government to revise/amend the PDPA to follow or be consistent with the GDPR, there is more reason for organisations in Malaysia to be well versed in the interpretation and understanding of the policies and procedures of the GDPR as when the time comes for a revised/amended PDPA to be implemented, the organisations would not have to face a steep learning curve in trying to comply with the revised/amended act.