By Ross Saunders, Director of Global Technology Services at Cura Software Solutions
The General Data Protection Legislation is the most important change in data privacy regulation in 20 years. Its fundamental aim is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. As the international compliance deadline of 25 May 2018 draws near, companies are rushing to implement the necessary controls. As a European, this is excellent news for the safety of your personal information – how, when, by whom and for how long your data is processed will be more stringently controlled than ever, but what does this legislation mean for a South African organisation? Ross Saunders, the Director of Global Technology Services at Cura Software Solutions, shares some need-to-know information for the South African context.
According to Saunders, The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU citizens. “If your company processes and holds the personal data of citizens belonging to a European Union member state, then you will be required to comply with the GDPR. Non-compliance with the GDPR can result in fines of up to 20 million euros or 4% of global turnover, whichever is higher.” says Saunders.
Considering the EU is one of South Africa’s biggest trade partners, South Africa is going to have to be cognizant of this data protection law, in addition to its own Protection of Personal Information Act (POPIA). That being said, the good news is that the GDPR and POPIA are relatively similar in their application, with numerous overlaps. This is good news for companies who have already done much to comply with POPIA. You won’t need to start again, but certain changes will have to be made to ensure compliance.
According to Saunders, the three key factors to consider when applying GDPR to the South African context are as follows:
● GDPR compliance makes business relations with European companies easier as they will be more comfortable sharing information with you.
● The GDPR places more obligations on data processors as compared to operators in POPIA.
● The EU is seen as a leading jurisdiction for data privacy legislation and is considered the gold standard for best practices.
As an organisation, what should your first steps be?
The first port of call is to implement the required process actions. These entail identifying the various organisational stakeholders and the fundamentals that must be in place to implement a framework for complying with the GDPR.
Thereafter, one should map out the necessary activities performed on data within the organisation. This includes analysis and understanding of the organisation’s data flow – how does the information enter the organisation, where is it stored, who processes it, who is it shared with, how is it removed, and so on.
Finally, gaps in these processes and flows are identified, and action plans are put in place to compensate for them along with the relevant responsibility and accountability within the organisation.
Furthermore, it is essential to ensure that your workforce is educated and aware when it comes to legislation. It is all fair and well to have policies and contracts in place, but if your employees are not aware of what their obligations are, they become the biggest risk of non-compliance or a data breach.
Saunders concludes that everyone needs to comply with data privacy (whether GDPR or POPIA) and the more aware South African organisations are about their compliance obligations, the easier it will become for them to reach their compliance goals. “Organisational compliance requires regimented project plans, taking positions on tough questions, guaranteeing that your service providers are compliant, making a vested effort to ensure that your employees are aware and educated about their obligations, eliciting commitment from management, introducing new or amended processes, policies, documents and contracts, and enhanced data security. Even after implementation, compliance of these items will be ongoing. Given the breadth of coverage of these laws and their impact on your organisation, it makes sense for an Information Officer or Data Protection Officer to track them in a system such as CURA.”