GDPR extra-territorial application impacts SA businesses
South African organisations should take heed of the General Data Protection Regulation's (GDPR's) extra-territorial application.
This was the word from Nerushka Bowan, an emerging and legal tech expert, speaking yesterday at the ITWeb POPI Update II 2017 conference.
The GDPR is a regulation that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within member states. Non-compliance could cost companies dearly.
The GDPR marks a significant expansion of the territorial scope of the EU data protection regime, bringing a larger number of overseas businesses within its reach.
When determining whether activities fall within its geographical reach, the GDPR considers not only the location of the processing, as in the current EU Data Protection Directive, but also the location of the individual whose data is being processed, said Bowan.
When the GDPR takes effect, it will replace the data protection directive of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
Bowan said this law will have an impact on South African organisations doing business with EU-based companies as local companies will need to comply with the data privacy law.
Quoting Elizabeth Denham, UK's information commissioner, Bowan said: "The GDPR is at root a modernisation of the law. Many of you will agree that the reform is long overdue. The world has changed a lot since 1995, not only technology, but business models, people's attitudes to their data, their demand that their information is properly looked after. The law needed to change too."
Under the GDPR, companies can face fines of up to 4% of global turnover or EUR20 million, whichever is the highest, for the most serious of breaches.
SA's version of the GDPR is the country's Protection of Personal Information Act (POPIA).
Also speaking at the event, John Giles, managing attorney at law firm Michalsons, said the biggest challenges organisations are facing in regards to adopting data privacy laws like POPIA and the GDPR is lack of executive buy-in, compliance fatigue as well as budget constraints, among others.
"These laws also have too much information and organisations don't know where or how to start implementing these laws," said Giles. "Lack of resources is also another challenge that organisations face."
While the GDPR has 260 pages, POPIA has 76, said Bowan.
According to Giles, the GDPR is part of the global body of laws and regulations that govern data protection.
"It is the most recent one and the global gold standard for the protection of personal information," Giles said.
"If you are an organisation that offers goods and services to European Union citizens or if you are monitoring their behaviour, you will be required to comply with the GDPR. If you process personal data for an EU entity, you will have to comply."
He believes the GDPR will also influence how POPIA is implemented. "If you are part of a multinational it is likely that your counterparts around the world are already taking steps to comply. As you engage with other organisations around the world, you may be required to show how you comply with the data protection regulations. We've already seen and acted on numerous requests to provide proof of compliance to ensure deals go ahead."