29 May 2018

Data Protection "D-Day"

by Verlie Oosthuizen, Partner, Durban,
Practice Area(s): Social Media / Cyber Crimes | Employment |

More than a few people were complaining about the dozens of emails that they received last week informing them that international companies were updating their privacy policies and asking them to verify information due to the GENERAL DATA PROTECTION REGULATION taking effect in the European Union.  This is a very comprehensive legislative instrument which applies to the personal data of all European Union citizens and has far reaching implications for everyone that processes their data.  Legislation does not often apply to countries or companies that are not based in the place where the law is in force, however with the GDPR, any company that offers goods and services to EU citizens (or monitors their activity through applications) will have to be compliant with the Regulation.

The requirements for compliance with the GDPR are quite onerous and detailed.  It is also expensive to implement the necessary systems.  It is more challenging in South Africa as we do not have current data protection legislation in place and so companies do not have a sophisticated culture of data protection compliance. Although the Protection of Personal Information Act (POPIA) has been passed it is not fully operational and compliance is not yet necessary.

Unfortunately, non-compliance with data protection provisions can lead to nasty fines in terms of the GDPR.  The protection of personal data has become increasingly important with the development of the digital age and online activity and data breaches do occur.  When an EU citizen’s data is compromised they may report it to the EU authorities who would investigate and possibly fine the South African company… in Euros! The initial fine could be in the region of 10 million Euros which would cripple most companies. The issue of enforcement of the GDPR in South Africa is up for debate as one may ask how the fine would be collected but even receiving a notice of a fine of 10 million Euros in the post would be terrifying for any SA company. If you think your company may need to comply with the GDPR then you must take steps without delay to start compliance processes.