GDPR will cost SA businesses
In May the European Union's General Data Protection Regulation (GDPR) came into effect. This stringent new privacy law, which covers any organisation that processes information about EU residents, will profoundly affect the way data is collected, stored and used. Not just within the EU but for South African companies doing business overseas too.
According to Peter Hill, director of IT Governance Network, violations of the GDPR data transfer provisions are subject to astronomical fines of up to 4% of a company's global annual turnover or EUR20 million, whichever is greater.
Hill says the factors that are taken into account for imposing a fine include the nature, gravity and duration of the infringement, the intentional character of the infringement, as well as actions taken to mitigate the damage suffered.
Other factors include the degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct, and any other aggravating or mitigating factor.
New systems, staff
Hill says costs associated with the GDPR go beyond fines and penalties.
All organisations that collect and use EU customer data will have to bear the cost of new systems, as well as the infrastructure necessary to support, enforce and audit them.
South African companies that are required to comply with the GDPR will also have expenses related to having an EU-based representative if they do not have a presence in the EU, as well as an EU-based data protection officer.
Then there's documentation of the processing of personal data, data protection impact assessments, and the implementation of effective technical and organisational measures. He says there will also be costs associated with the business's capability to demonstrate compliance, data subject request handling processes, and consent management process. Finally, the cost of monitoring compliance, enabling data subject rights, and the cost of assurance must also be taken into account.
Hill will be presenting on 'How to determine the cost and compliance obligations of the GDPR', at ITWeb's GDPR Update 2018, to be held on 7 November at The Forum in Bryanston.