New EU data protection regulation could affect SA
South African businesses processing the data of European Union (EU) subjects will have to make sure they comply with new EU data regulations.
This is according to Striata director Alison Treadaway, who says this may be particularly onerous on companies that take advantage of the weak rand to provide cost-effective outsourcing services to EU-based businesses.
The EU's General Data Protection Regulation (GDPR) was adopted by the EU Council and Parliament last month and will effectively impact any business in any country that processes EU citizens' data.
The law, which replaces the data protection directive 95/46/EC from 1995, will enter into force on 24 May - after which companies have two years to take all the steps necessary to ensure compliance.
"Call centres, data centres and business process outsourcers that touch EU customer data will need to ensure they are fully compliant with the GDPR to continue providing services," Treadaway explains.
"A key element of the new regulations concerns the transfer of customer data outside the EU to jurisdictions where the data protection standards are not at a similar level," she says.
Treadaway says if SA's Protection of Personal Information Act (POPI) had been fully enacted, this would have gone a long way to motivating South African businesses to make the required changes to bring their data protection policies in line within the grace period. However, the lengthy delay in appointing an information regulator and fully enabling its mandate and powers means many local businesses have not started working towards compliance.
"This means a potentially much larger gap between what is legally required in SA today, and what the new EU's GDPR requires of companies processing data belonging to EU citizens."
Treadaway says it is generally believed SA's POPI Act was modelled on the UK Data Protection Act 1998 and the EU's previous directive, which raises questions over whether POPI in its current form will be adequate to meet the new GDPR standards.
"Large organisations that are already working towards POPI compliance will need to assess whether there is a gap between their POPI compliance targets and the GDPR's requirement relating to record-keeping obligations, mandatory privacy impact assessments and the ability to demonstrate compliance upon request."
She says there are many areas of alignment between POPI and the GDPR, which should make it easier for South African businesses working towards POPI compliance to also meet GDPR requirements. However, Treadaway still believes there are some key areas where POPI falls short.
"A requirement that is inadequately covered in POPI is the concept of 'data portability' which is the right for a data subject to receive his or her data in a 'structured, commonly used, machine-readable and interoperable format and the right to transmit those data to another controller'," she says.
"Compliant document repositories can take away the headache of interpreting and applying the new regulations to the management of customer documents, by facilitating the right kind of access to the data these documents contain and reducing the risk of penalties," Treadaway adds.
A secure document repository provides a secure, convenient, online location for organisations to store documents where they can be accessed by either customer service agents or customers themselves, thereby meeting regulatory compliance and data protection obligations under all application legislation.