It was on 25 May 2018 that the long awaited and often discussed General Data Protection Regulation came into effect. This shiny, new European Union (EU) legislation was created to ensure that the data of all EU residents was protected properly and provides in-depth guidelines into the collection and processing of their personal information. It may not sound like this is something even remotely relevant to your business, but wait, it really, really is..
If the data that is being processed by your company belongs to an EU resident or if your data is located somewhere other than South Africa then the relevance is suddenly very clear. If you store or process anyone from the EU, you need to get to grips with this legislation and what it means to your business and your customers. If you don’t, you could be in line for some very heavy financial penalties. And no, the fact you’re on a separate continent isn’t going to make you immune.
So what do I do?
Spend some time getting to know the legislation. The Act has been laid out to help you figure out where you could be affected and what you need to do to mitigate the risk. It has a separate definition for ‘sensitive personal data’ that relates to information concerning a person’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual preferences and criminal offences.
If you don’t understand the terminology or you’re unsure as to whether or not it applies to your business, speak to a professional. The cost in money and time is far less than the one you may incur if you are in breach of GDPR. It will also very likely help you get on track to become compliant with South Africa’s POPI Act too.
Why should I care?
You can be financially and reputationally penalised if you are found to be in contravention of this new legislation.
What steps should I take?
As well as speaking with a professional and reading the GDPR legislative requirements, you should understand the risks and how they could impact you and your EU client base. Whether you are a controller or a processor of data, the act still applies. However, it will only apply if your organisation operates in the EU or serves EU individuals, not so much where you host your applications.
Why bother if I don’t have EU connections?
Over the past few years data breaches have become so common they’re almost not newsworthy anymore. However, this doesn’t change the fact that consumers are impacted and businesses are voiding responsibility. Like the ability to opt out of marketing materials or permanently remove accounts from platforms where the information must be permanently destroyed.
GDPR ensures that breached scenarios are reported within 72 hours of becoming aware of it and the fines can range from 10 million Euro to 4% of global turnover, whichever is higher. If you’re not connected to the EU, POPI is set to have equally stringent rules attached to it and consumers are becoming increasingly fed up with being left to deal with the impact of bad business behaviour. You have been warned…