On 25 May this year, a new piece of legislation comes into effect in Europe that could have severe consequences for non-compliant South African businesses. The General Data Protection Regulation – or GDPR for short – is a regulation under European Union law that aims to give control over personal data back to EU citizens.
The regulation applies to any organisation that collects or processes data from EU citizens, even when that citizen or organisation is based outside the EU. The European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life”. This includes names, home addresses, photos, email addresses, bank details, social media posts, medical information, or even a computer’s IP address.
The fines for non-compliance are severe and could spell the end of a business practically overnight: the maximum fine is as much as €20-million, or nearly R300-million. What’s more, the regulation is far-reaching: any company with an EU citizen among its workforce, or a customer based in the EU, or even if only one of the subscribers to a company newsletter is based in the EU, that company can be held liable under GDPR. Few if any mid-sized South African firms could afford such a steep sanction, and legacy issues compound problems around compliance, increasing their risk and potential liability.
In response, local firms are taking unprecedented steps to ensure they and their customers remain within the confines of the new regulation, especially considering the volume of trade and collaboration between African countries and their European counterparts.
Legacy processes add complexity to compliance
Most mid-sized firms have deliberately or inadvertently built up internal siloes related to how customer, business and other operational data is stored. For example, in a typical retailer’s marketing department, the data storage systems that processes newsletter subscriptions via email may be entirely removed from and non-integrated to the WhatsApp number where much of the customer communication takes place.
This means a customer that unsubscribes to a newsletter via WhatsApp may still receive the newsletter until such a time as the retailer can integrate the two sets of data.
When GDPR comes into effect, companies will not only stand liable for fines should the above scenario play out, but they need to be able to provide customers with complete clarity on how their data is stored and managed at any point in time. Any costs incurred in the process of showing how customer data is stored is also for the company’s own account, which adds not only complexity to standard business processes but also potentially additional costs.
Considering the prevailing trust deficit between consumers and brands, the potential of being exposed for treating confidential customer data poorly is immense. Once trust is breached, affected customers are unlikely to engage with the brand again, and will leave a searchable and public trail of comments on social media for all to see. The recent case of Facebook – which now faces a fine of as much as $2-trillion – has brought this to the forefront of consumer consciousness, but other examples of poor customer data management abound. Closer to home, the leaking of 31 million records at the Master Deeds Office revealed the ID numbers, addresses and income estimates of millions of South Africa citizens.
On the basis of consent
For South African businesses, however, new technology tools could play an invaluable role in mitigating risks associated with GDPR and its South African counterpart, POPI. A recent investment by SAP into Consent is simplifying the business processes associates with creating trusted digital experiences within the limitations of GDPR and POPI compliance.
Part of the SAP Hybris suite of applications, Consent enables SMEs to centrally manage customer preferences and consent settings throughout their full lifecycle, while putting them in control of their own data. Consent enables companies to be transparent, gain loyal customers and protect their business from costly fines as well as potentially disruptive business processes related to proving to customers how their data is being stored and managed.
In line with modern business demands, Consent is also provided in the cloud, making it quick to implement and easy to prove ROI. Every time a policy changes, customers can receive an automated notification that they actively accept, with a record of such forms of consent stored centrally to allow SMEs to quickly and accurately prove responsible customer data management.
Whether you run an online retailer with customers around the world, or a news website where a European citizen may occasionally offer a comment on an article, GDPR holds inherent risks to your business. But with the correct technology tool, a potential R300m liability can be transformed into a competitive business advantage that furthers the cause of trusted and trustworthy digital customer experiences.
Here are five immediate steps South African companies can take to limit their GDPR risk:
- Educate staff: Make sure everyone in your company understands what GDPR and POPI means and what is recognised as personal information.
- Understand the current state: Ensure you understand what data is being stored – and where it is stored.
- Inspect the data: Get to grips with exactly what personal information is being stored where. Categorise data (for example names, email address, ID numbers) and delete data that is not needed.
- Implement processes: Put in processes and systems to handle all data, including acquiring, accessing, maintaining and disposing of information.
- Improve reporting: Regular audits will be needed to ensure the processes are being followed, and to know at all times where data is being stored, who has access to it, and how a potential breach of data will be handled.