Africa's limited data protection laws heighten GDPR significance

Read time 2min 30sec
Tiaan van Schalkwyk and Samantha Buchler, Deloitte.
Tiaan van Schalkwyk and Samantha Buchler, Deloitte.

Many African countries have no data protection legislation whatsoever. However businesses in Africa that have dealings with EU companies, or share data or deal with EU citizens residing in Africa, have to be aware of the implications of GDPR data protection legislation that comes into effect on 25 May 2018.

At the ITWeb Security Summit 2018 in Midrand, Johannesburg, data privacy expert Samantha Buchler and information/cyber security specialist Tiaan van Schalkwyk from Deloitte said the GDPR has `an extra-territorial effect'.

This means that Africa's limited maturity regarding data protection legislation becomes all the more relevant.

"African organisations are not consistent across the continent regarding the levels of maturity from a data protection standpoint. A lot of countries on the continent have no data protection legislation whatsoever," said Buchler.

There are similarities between South Africa's Protection of Personal Information (POPI) law and GDPR in terms of storage of personal information, access, manipulation and use.

Companies that believe themselves to be 100% POPI-compliant would essentially be about 80% to 90% GDPR-compliant.

Samantha Buchler, Deloitte

Buchler explained that companies that believe themselves to be 100% POPI-compliant would essentially be about 80% to 90% GDPR-compliant.

Van Schalkwyk and Buchler pointed out that GDPR includes a codified requirement for a data protection officer for companies with 200 or more employees.

"Whereas in POPI, there is a requirement for this position for companies of any size," said Van Schalkwyk.

GDPR also covers data inventory extensively, with the premise being that businesses need to know exactly what personal information is being processed, "because you need to know exactly what it is you are protecting."

The GDPR pays particular attention to consent management, records of processing activities (and the consumer's 'right to be forgotten'), which have implications as far as the regulation of unsolicited marketing is concerned, or the right for consumers to demand a business/service/ organisation deletes their history and all personal information upon request.

Buchler said aspects like accountability and data portability have proven to be challenges impacting compliance.

According to the Deloitte Global GDPR Survey, only Germany and Austria have declared themselves to be GDPR-ready.

In an article titled There are no GDPR quick wins, author Gregg Petersen, regional vice president at Veeam, said despite the looming threat of penalties for non-compliance, a survey by international law firm Paul Hastings found that many top UK and US businesses are massively overestimating their GDPR readiness.

"As many as 94% of FTSE 350 and 98% of Fortune 500 companies believe they're on track to comply with the GDPR by 25 May 2018. And yet, the same report found that only 39% of UK and 47% of US businesses have set up an internal GDPR taskforce," Petersen said.

Login with