Final countdown to GDPR - are you ready?

Many South Africans don't realise it, but there are EU GDPR (General Data Protection Regulation) implications on SA. With the days counting down, the GDPR came into effect on 26 May 2016, and those subject to the regulation have been given a two-year grace period, which will end on 25 May 2018. Are you ready?

The conversation around data has become increasingly complex - with multiple pieces of data-focused legislation in play, companies no longer need to simply know how to unlock the value in their data, but also how to make sure they remain compliant. In South Africa, we are barely getting to grips with POPI/POPIA and we have to get our heads around a piece of European privacy/data protection legislation as well.

GDPR has implications on countries outside the EU, including South Africa. There is a good chance that you will need to comply with multiple different data protection laws (like the GDPR, the ePrivacy Regulation, POPIA and the Privacy Shield). Why should we be concerned about GDPR? The main reason is that we need to be prepared for doing business with companies in European countries or they will see us as a high risk from a personal information protection perspective and won't do business with us. This is why it is important that you take a global view and comply with what is common among them.

It applies to any organisation that holds or processes data on EU citizens, regardless of where it has its headquarters. This includes companies that have employees in the EU, sell or market products or services in the EU, or partner with EU organisations.

The GDPR does not protect legal entities. It also does not create such serious penalties for failing to protect an account number. It exempts SMEs, and it deals with the right to be forgotten and data portability. The GDPR has a definition of genetic data and requires data controllers to do data protection impact assessments. The fines are much bigger in the GDPR. The GDPR penalties can be up to 4% of an organisation's global annual turnover whereas POPI/POPIA has a maximum R10 million fine or time behind bars. In other words, GDPR penalties are much higher than the POPI/POPIA penalties so it could hurt us more than POPI/POPIA financially if we ignore it.

Organisations should consider the following high-level requirements and recommendations:

* Appoint a data protection officer: Article 37 of the GDPR states that data controllers and processors shall designate a data protection officer (DPO) where the core of the organisation consists of processing operations, which:
1. Require regular and systematic monitoring of data subjects on a large scale; or
2. Consist of processing on a large scale of special categories of personal data relating to criminal convictions and offences.

Key consideration: If a company has not yet appointed a DPO, someone with the appropriate skills and experience should be assigned and take accountability for this important role in order to meet the requirement.

* Perform a data protection impact assessment: Article 35 of the regulation requires data controllers to perform a data protection impact assessment (DPIA) in situations in which processing operations present specific risks to the rights and freedoms of data subjects. The assessment should contain at least a general description of the planned processing operations and an assessment of the data privacy risk.

Key consideration: Undertake a DPIA to understand key data privacy risks the organisation may face, and establish a prioritised plan to mitigate these. This DPIA should include an assessment of the type of private data processed and the types of risks it may face in complying with the GDPR requirements. We also recommend that such a DPIA be included as part of a broader information risk assessment driven top down by senior management.

* Integrate data protection methods in during design: Article 25 requires a data controller to consider the privacy and protection of personal data within each project developed (both structural and conceptual) from the design stage. The GDPR associates the principle of data protection by design to the principle of data protection by default, which enforces personal data protection, stating that, by default, companies should treat personal information to the extent necessary for their intended purposes for a period strictly necessary for such purposes and should ensure that personal data is not accessible to an indefinite number of people.

Key consideration: Review application development processes to ensure that data protection is being considered and executed as outlined by the GDPR. The same review should be performed for existing business processes that leverage private information.

* Establish a compliance framework: Data controllers and processors are required to document policies enacted and measures taken to demonstrate that processing of personal data is performed in compliance with the GDPR. Such policies should also establish a culture of monitoring by periodically reviewing, assessing and evidencing that their data processing procedures maintain compliance with the main tenets of the GDPR: minimise data processing, adequately and proportionately retain data, and build in appropriate safeguards.

Key consideration: One of these policies should be a data classification policy that implements a systematic way for an organisation to identify personal data and documents where it is being processed or stored so the organisation can formulate and enact procedures to protect that data. Another key process which forms part of the framework is a risk assessment process that includes both business impact analysis and risk appetite setting activities. Data privacy awareness training should also be part of this framework to ensure staff are trained to understand their obligations.

* Be better prepared for reporting data breaches: One new obligation is for data controllers to notify personal data breaches (those likely to result in a high risk to the rights and freedoms of the data subjects) to their local data protection authority (DPA). This must be done without undue delay and, where feasible, within 72 hours of awareness. Additional processes for incident handing and breach reporting may be required to meet these requirements.

Key consideration: Review current disclosure processes to ensure they comply with the GDPR. Ensure that appropriate processes and procedures are in place to detect, respond and recover quickly from incidents within the time-frame permitted. Educating executive and technical teams on incident response and reporting procedures will be critical. Moreover, preparing responses well in advance of a crisis occurring is also advisable.

* Evaluate the legitimacy of international data transfers: Binding corporate rules (BCRs) and standard contractual clauses remain valid tools for transferring personal data outside the European Union within a multinational company. However, these are not sufficient to transfer data to third parties outside the European Union.

The GDPR does not replace the legacy Safe Harbour agreement, and therefore the rules for data transfers to third parties outside the European Union remain ambiguous while the European Union and the United States finalise the Privacy Shield. Those hoping for a revamp in this area, after Safe Harbour, will be disappointed. An organisation must ensure it has legitimate basis, described in Article 46, for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation. If the organisation plans to engage in intragroup international data transfers, it will need to comply with the BCRs, set out in Article 46. of the GDPR.

Key consideration: Because uncertainty still exists regarding the handling of data transfers to the United States, organisations should closely monitor activities with regard to Privacy Shield or other Safe Harbour agreements as they move closer. With interfirm transfer requirements, organisations can consider the use of BCRs; however, these are not straightforward and will require legal consultation. Consideration of options to relocate data held by third parties back into Europe should also be made. Furthermore, strategic choices of future data centres and cloud service providers should be considered to reduce the uncertainty risk and complexity associated with data transfers outside the European Union.

* Implement processes supporting the new rights of data subjects: Under the GDPR, data subjects are given rights such as the right to data portability and the right to be forgotten, and they may choose to exercise them.

Key consideration: Organisations may need to develop additional policies and processes to respect the new rights of EU citizens. These plans may not be straightforward as organisations may not have processes and technology in place to deal with these requests. Furthermore, rules on record retention and requirements for referential integrity may also complicate the ability for companies to adhere to this requirement. Organisations therefore need to be aware and prepare well in advance for key changes required for process and technology to make them effective to meet the GDPR requirements.

* Organisations may need to re-establish consent: Data subjects must give clear and affirmative consent to the processing of their personal data. This can consist of ticking a box when visiting a website or taking another action or making a statement clearly indicating acceptance of the proposed activity. However, according to the GDPR, silence or inactivity, or pre-checked boxes, will not suffice as consent, which needs to be obtained separately from standard terms and conditions and cannot be conditional on using the service being offered.

Key consideration: Organisations need to carry out an exercise to establish whether the consent received from EU citizens has historically complied with the GDPR requirements. Those who currently hold or have appropriated personal data not in line with the GDPR will need to obtain that consent from data subjects before continuing to use their personal data. This exercise may not always be straightforward and will require sufficient planning to execute effectively and ensure data they hold on EU citizens is compliant with GDPR requirements.

* Review current contracts: Data processors will have direct responsibilities to regulators and data subjects to report data breaches. Previously, data controllers were primarily responsible for this. Increased responsibility and liability implications will affect contractual arrangements for those sharing personal data. Also, previously, data controllers were in control about how and when to report breaches to the regulator. This procedure will now change.

Because of the changes in responsibility for breach notification, contracts between parties involving data protection will need to be reviewed to ensure that appropriate measures are put in place. Data processors and data controllers will also need to undertake further care regarding third-party contracts to ensure no undue exposure, specifically concerning liability to third parties and additional reporting responsibilities.

Key consideration: Organisations should review their contracts with third parties and ensure they understand their roles and responsibilities in relation to the GDPR. Where existing policies and practices fall short of the GDPR requirements, additional remediation may be required to manage their data privacy risk.

* Requirements and recommendations obtained from: https://www.protiviti.com/ZA-en/node/17661

* As the clock is ticking, the question remains, are you ready? Do you understand the issues and challenges regarding GDPR and POPI/POPIA and how to leverage these in a positive manner?