Compliance is just good business sense
Local companies doing business with European counterparts have to comply with Europe’s General Data Protection Rule. Is this another onerous legal issue, or will they also benefit from this law?
Although the local Protection of Personal Information (POPI) Act has yet to be signed into law, the European Union’s (EU) General Data Protection Rule (GDPR) is already in full swing. Since any South African company that does business with an EU organisation is also expected to comply, the question one must ask is: how have local companies been responding to GDPR?
Colin Thornton, MD at Turrito Networks, suggests that local companies that touch the data of any EU companies will definitely start to see the pressure building around data security and other GDPR mandates.
There is certainly increasing local concern about it, he explains, with some of the EU businesses simply sending questionnaires to ensure the local company is using best practices to ensure data safety, while others are insisting on substantial changes to contracts and agreements. These are usually related to indemnifying the EU business in the event that there is a breach that the local company is responsible for.
“The main reason businesses are so nervous about GDPR is the simple fact that it has already been signed into law, and more pertinently, it is already being effectively enforced. There have, in fact, already been hundreds of fines handed out to companies in the EU for failing to adhere to the legislation. From a local perspective, it must also be remembered that these are Euro-value fines, making it all the more urgent for local businesses to stay on the right side of GDPR – the exchange rate makes such fines particularly challenging for local businesses,” he says.
“Despite the size of the fines, most players in the industry feel that while it is tough, the law is effective in how it protects not just consumers’ information, but all important data. Local organisations understand that this is something that should be done, both from a moral and a good business standpoint, and so they are happy to stay within the bounds of the law.”
He adds that GDPR is definitely beginning to change local data security measures for the better, suggesting that there is every chance GDPR will ultimately end up having a bigger and more immediate effect than the POPI Act. This is because a typical GDPR agreement will focus on encryption and backing up, and when asked detailed questions about these by an EU partner, local businesses may well realise they have weaknesses here they were previously unaware of.
“In the end, the GDPR creates a chain of entities that – because they either touch an EU company, or touch a local business that touches the EU company – all have to have everything in place to meet GDPR requirements. Therefore, my best advice is to always be transparent in your dealings and ensure that your business, at least, adheres to this law.”
“Of course, true adherence requires a paradigm shift in the way in which a business thinks about IT. It essentially requires a platform-wide change in order to deliver the right levels of data security, which means, for instance, that instead of having documents spread out across a network, or stored on a file server, the organisation should implement a platform like Sharepoint or G Suite.”
The reason for this, says Thornton, is it means employees are no longer sending links across the Internet or using disparate chat platforms. Instead everything is on a single platform, where the data is recorded and searchable and rules can be implemented regarding who is allowed to e-mail or copy important data. With the right platform, he adds, a business can properly cover everything necessary to be GDPR compliant.
“Ultimately, enterprises today want to know that their data is being looked after securely, whether this is covered by the law already or not. Therefore, even if it is not a requirement, it remains good business sense to ensure such compliance. Remember that apart from avoiding the punishing fines that are associated with GDPR non-compliance – while at the same time making your organisation available to do business with any and all EU companies – such an approach will demonstrate even to potential local customers that you are on the right side of a data protection law that has been tried, tested and works, and that is definitely a positive selling point,” concludes Thornton.