What GDPR means for SA businesses

South African entities that flout data privacy requirements face fines under the European Union’s General Data Protection Regulation.
Read time 4min 50sec

The European Union’s General Data Protection Regulation (GDPR) was adopted in April 2016, replacing and improving on the EU Data Protection Directive 95/46/EC. It came into force in May 2018.

It is arguably the most important change in data privacy regulation in two decades and is aimed at reshaping the way in which data is handled across every sector, from banking to healthcare and beyond. Moreover, non-compliant organisations face heavy fines.

The motive behind the implementation of GDPR is to standardise data privacy laws across the European continent, plus protect and empower all EU citizens in terms of their rights to data privacy.

To summarise the scope of GDPR as per articles two and three, it applies to:

  • Organisations that control and process data and are established in the EU, regardless of whether or not the processing takes place within the EU and irrespective of whether a payment of the data subject is required.
  • Organisations not established in the EU offering goods or services within the EU or to EU residents and citizens, also irrespective of payment.

So this means the regulations will apply not only to EU-based companies but also to data controllers and processors around the world. With the threat of fines of up to €20 million or 4% of annual global turnover (whichever is greater) for companies breaching GDPR, organisations have little choice but to re-evaluate measures to safely process personal data.

Gartner notes that 30% of organisations have only a basic understanding of the Act.

The big stick?

The stick is very big indeed. The following are just some examples of global companies that were fined for non-compliance:

In July, the Information Commissioner's Office (ICO) announced its intention to fine hotel group Marriott International more than £99 million under GDPR for a data breach concerning the personal data of approximately 339 million guests.

Examples abound of companies facing fines and investigation under the terms of GDPR.

It is interesting to note that of the 339 million data subjects, roughly 30 million related to residents of 31 countries within the European Economic Area. Marriot notified the ICO about the breach in November 2018.

In the same month this year, the ICO also made public its intention to fine British Airways £183.39 million for infringements that dated back to September 2018. The personal data of 500 000 customers was diverted to a fraudulent site where it was harvested by the attackers. It is alleged that poor security arrangements on the British Airways Web site resulted in the breach.

In May, the Irish Data Protection Commission announced its intention to investigate ad tech giant Quantcast for non-compliance and breach of privacy accusations. This is a move that broadens the reach of GDPR, as the types of companies facing regulatory scrutiny have been consumer-facing companies like Facebook and Google, possibly opening the door for further investigations into this sector.

Therefore, examples abound of companies facing fines and investigation under the terms of GDPR.

Can non-EU (eg, South African) entities face fines under GDPR? In a word – yes!

If the South African company has an establishment, subsidiary or representatives in the EU then the authorities can levy a fine on it. Barring that, EU courts will have to use negotiated civil enforcement mechanisms between EU states and other countries.

The EU has the option to sanction/block wilfully non-compliant data processing entities that the EU commission deems a high risk.

GDPR prescribes that cases are assessed individually. The fines must be effective, proportionate and dissuasive for each individual case.

With regards to actually deciding whether or not a company can be fined and what level of penalty can be levied, the authorities have a statutory catalogue of criteria which they must consider for their decision. Among other things, intentional infringement, a failure to take measures to mitigate the damage which occurred, or lack of collaboration with authorities, can increase the penalties.

One interesting example of a situation where a fine was mitigated down is a German Web site that suffered a security breach in clear violation of GDPR. The platform verified it held 330 000 e-mails that belonged to unique users and that in some cases, the users’ real first names and places of residence were leaked in an attack that was found to have taken place in July.

The probe showed the site stored the passwords in plain text, for which it ultimately earned itself the fine. But the fine was reduced because the company worked with the German authorities to become compliant. The data protection authority acknowledged what it called very good cooperation and exemplary transparency, on the part of the business.

This was augmented by the implementation of a range of enhanced security measures that the site put in place, since the incident occurred, and that continue to be applied in conjunction with the authority.

This – and the watchdog’s considerations for the overall financial burden on the company and other factors – appears to have helped to ultimately keep the penalty in relatively low figures.

So, enough of GDPR, what about South Africa and POPIA?

In my next Industry Insight, I will expand on POPIA and explain why, despite a three-year wait, you should be implementing an informed compliance strategy now.

Gregory Dellas

Information security specialist working for CA Southern Africa

Gregory Dellas, CISSP, is an information security specialist working for CA Southern Africa since 2018. He is a former EU-GDPR practitioner and draws knowledge from having consulted in multi-disciplinary security roles for over a decade in the broader IT industry.

See also