Peter Tobin, CEO of Peter Tobin Consultancy.

Peter Tobin, CEO of Peter Tobin Consultancy.

The countdown for the commencement of European Union (EU) General Data Protection Regulation (GDPR) has started, and South African organisations should start preparing.

So said Peter Tobin, CEO of Peter Tobin Consultancy, addressing the ITWeb POPI Update 2017 conference in Johannesburg this morning.

After four years of preparation and debate, the GDPR was finally approved by the EU Parliament on 14 April 2016.

According to Tobin, the GDPR will come into force in May next year at which time those organisations in non-compliance will face heavy fines.

The GDPR replaces the Data Protection Directive and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organisations across the region approach data privacy.

The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies, including South African, processing data of EU residents.

"As the European Union General Data Protection Regulation comes into force in May 2018, the time is right to understand the relevance of the EU GDPR to organisations in South Africa and the similarities and differences between the EU GDPR and the POPI Act," Tobin said.

He also noted that the EU GDPR is one of the most important change in data privacy regulation in the past 20 years and South African companies which deal with European countries must be prepared.

Giving an overview of the GDPR, Tobin said the single regulation automatically applies to all EU members – including UK post-Brexit. It comprises nine chapters, 99 articles with multiple paragraphs, and it works in conjunction with other EU directives and regulations, he explained.

However, GDPR has some similarities and differences with SA's data privacy law – the Protection of Personal Information (POPI) Act and local companies should take note. They are both based on principles or conditions; they all emphasise on the strong role for the regulator; they both stipulate mandatory breach notification; both have penalties; and both encourage codes of conduct, he explained.

Nonetheless, there are also some notable differences. These include terminology, for example in the EU GDPR the word "controller" is used whereas POPI uses "responsible party".

"There are also massive differences in regards to potential penalties," said Tobin. "POPI's fines of up to R10 million are trivial compared to EU GDPR 2% to 4% of global revenue."