What GDPR means for South African businesses

March 1st, 2018, Published in Articles: EE Publishers, Articles: PositionIT, Featured: PositionIT

The General Data Protection Regulation (GDPR) is one of the most important changes in data privacy regulation in 20 years. Ross Saunders, the director of global technology services at Cura Software Solutions, shares some need-to-know information for the South African context.

Ross Saunders

Ross Saunders

The DDPR’s fundamental aim is to protect all European Union (EU) citizens from privacy and data breaches in an increasingly data-driven world. As the international compliance deadline of 25 May 2018 draws near, companies are rushing to implement the necessary controls. As a European, this is good news for the safety of your personal information – how, when, by whom and for how long your data is processed will be more stringently controlled than ever. But what does this legislation mean for a South African organisation?

The GDPR not only applies to organisations located within the EU, but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU citizens. If a company processes and holds the personal data of citizens belonging to a European Union member state, then it will be required to comply with the GDPR. Non-compliance with the GDPR can result in fines of up to €20-million or 4% of a company’s global turnover, whichever is higher.

Considering the EU is one of South Africa’s biggest trade partners, South African businesses will have to be cognisant of this data protection law, in addition to the Protection of Personal Information (PoPI) Act. That being said, the GDPR and PoPI Act are relatively similar in their application, with numerous overlaps. This is good news for companies who comply with the PoPI Act. They won’t need to start again, but certain changes will have to be made to ensure compliance.

The three key factors to consider when applying GDPR to the South African context are:

  • GDPR compliance makes business relations with European companies easier as they will be more comfortable sharing information with complying companies.
  • It places more obligations on data processors as opposed to operators in the PoPI Act.
  • The EU is seen as a leading jurisdiction for data privacy legislation and is considered the gold standard for best practices.

As an organisation, what should your first steps be?

The first port of call is to implement the required process actions. This entails identifying the various organisational stakeholders and the fundamentals that must be in place to implement a framework for complying with the regulations.

Thereafter, one should determine the necessary activities performed on data within the organisation. This includes analysis and understanding of the organisation’s data flow – how the information enters the organisation, where is it stored, who processes it, who is it shared with, how is it removed, and so on.

Finally, gaps in these processes and flows should be identified and plans put in place to compensate for them, along with determining the relevant roles for responsibility and accountability within the organisation.

Furthermore, it is essential to ensure that one’s workforce is educated about and aware of the legislation. It is good to have policies and contracts in place, but if employees are not aware of their obligations, they become the biggest risk of non-compliance.

Everyone needs to comply with data privacy, whether GDPR or PoPI Act, and the more aware South African organisations are about their compliance obligations, the easier it will become for them to reach their compliance goals.

Organisational compliance requires regimented project plans, guaranteeing that one’s service providers are compliant, making an effort to ensure that employees are aware and educated about their obligations, committing management, introducing new or amended processes, policies, documents and contracts, and enhancing data security. Even after implementation, compliance remains an ongoing process.

Given the breadth of coverage of these laws and their impact on organisations, it makes sense for an information officer or data protection officer to track issues, something for which systems such as Cura’s exist and are useful.

Send your comments to positionit@ee.co.za