International data protection regulation affects SA businesses

October 26th, 2017, Published in Articles: EngineerIT, Articles: PositionIT

With the European Union’s new General Data Protection Regulation (GDPR) taking effect on 25 May 2018, cloud applications and platform services provider Oracle hosted a roadshow in Johannesburg for South African businesses and organisations to understand the repercussions the data protection regulation has for them.

The GDPR is the EU’s equivalent of South Africa’s Protection of Personal Information (POPI) Act, but since it applies to the data of all EU citizens (or “data subjects”) its scope extends beyond Europe’s boundaries to all entities who work with data from EU citizens.

South Africa’s trade partnerships with the EU, the POPI Act’s alignment to the GDPR, and the high cost of non-compliance are all good reasons for South African businesses to become GDPR compliant.

Both sets of data protection regulations are founded upon the basic human right to privacy, and protect individuals’ personal information by regulating the ways in which it is stored, processed and used. Personal data is defined as information related to a natural person, that can be used to identify the person directly or indirectly, and can range from a name, photo, email address and bank details to social media posts, medical information or a computer IP address. Anonymised data falls outside the gambit of the regulation.

The POPI Act is closely aligned to the GDPR, and many consider it a stepping stone to GDPR compliance. However, the GDPR is more comprehensive and specific in its framework than the POPI Act. Where the POPI Act centres on the roles of responsible parties (“data controllers”) and operators (“data processors”), the GDPR also recognises the roles of joint responsibility parties, third parties and recipients.

The GDPR, which replaces the 1995 Data Protection Directive, puts individuals in control of their data while remaining pro-digital. The regulation now:

  • Strengthens conditions for individual consent (op-in instead of opt-out)
  • Imposes penalties and fines for non-compliance, which could be up to 4% of an organisation’s revenue
  • Sets a “privacy by design” standard
  • Increases the territorial scope and jurisdiction of data protection
  • Outlines a data breach notification process in which data subjects need to be notified within 72 hours of a breach
  • Expands the data subject’s right of access to their data
  • Includes a data erasure (“right to be forgotten”) clause
  • Enhances data portability
  • Creates regulatory requirements and the framework for responsibility, e.g. data protection officers
  • Provides authorities with more power to pursue data abuses, and individuals more control over their personal information

While the GDPR implies good IT and security practices, it calls for a comprehensive data protection approach beyond access control and encryption alone. Instead, it collectively considers business processes that will protect users and reduce risks.

Finding a starting point, however, can be overwhelming. Oracle recommends that businesses and organisations take an incremental but coordinated approach, such as starting by creating records of data processing and processing activities, including categories of data subjects, categories of personal data, description of security measures and others. This can be followed by a risk and data protection impact assessment, before proceeding to tackle specific aspects of the 99 articles in the GDPR, such as the articles relating to the rights of data subjects (data erasure, processing restrictions etc.). Consulting legal council also comes highly recommended.

While the regulations don’t specify specific security measures for companies to take, it does create a well-defined framework against which to measure compliance, and companies would do well to prepare themselves for compliance.

Related Articles

  • South African Government COVID-19 Corona Virus Resource Portal
  • Now Media acquires EngineerIT and Energize from EE Publishers
  • Printed electronics: The defining trends in 2019
  • Charlie and the (fully-automated) Chocolate Factory
  • Latest GIS further supports electric and gas networks