With Europe's General Data Protection Regulation (GDPR) coming into force today, South African companies of all sizes dealing with the personal data of European residents should be focusing on their ability to comply. On top of GDPR, the South African Protection of Personal Information Act (POPIA) sets out fairly stringent guidelines for data protection.
Many local companies still fall short in terms of legislation such as GDPR and POPIA, and find themselves increasingly pressured to understand exactly what they need to do to ensure their data management is compliant.
The good news is GDPR and POPIA are simply different flavours of best practice data protection laws, and it is in the best interests of both customers and companies to comply. These laws are actually quite similar to each other and, by ensuring compliance, I believe there is a real business case that can provide companies with competitive advantage due to the implementation of best practice guidelines designed to protect everyone.
When SA enacted POPIA, there was no clear indication of what the GDPR would look like, and there were concerns the GDPR would be radically different from POPIA, forcing a significant change in POPIA.
Striving for safety
However, it has emerged that the GDPR is essentially an update to data protection law, rather than a complete overhaul. There is much debate about whether this is a good thing or not, and whether the GDPR effectively protects data privacy in the current risk environment. However, it is clear the GDPR, like POPIA, is striving to enforce better data protection and privacy practice across the digital realm.
Over time, regulations may change, but there are core principles all companies should adopt, whether they are listed or non-listed entities. These include international best practice, best practice outlined in the King Code of Practice III/IV, and the laws of SA, including POPIA, as well as The Electronic Communications and Transactions Act and the Consumer Protection Act.
GDPR and POPIA are simply different flavours of best practice data protection laws.
For companies that already apply best practice and have moved to comply with POPIA, GDPR will not bring a great deal of change. It does, however, require fast action, as today is the day and it is set in stone.
By following these principles, companies will be in a position to align with global best practice and evolving legislation:
Executive awareness
GDPR and POPIA affect the business. It's not simply a security issue. If a company wants to keep up with global competitors and do business with EU citizens, this is everyone's issue. The entire executive team and the board need to be on the same page. In order to mitigate and continuously manage this, a data protection officer (DPO) should be appointed.
Privacy office
Once the executive team is on board, with funding and full commitment, it's time to organise the privacy office. This should be a full network; the entire organisation should be in the loop and everyone should be accurately updated on regulations and rules. The DPO needs to align a privacy counsel and programme manager to help roll out GDPR/POPIA compliance, all the way from the CEO to sales and marketing, and support to IT ops, etc.
Map protected data
Everyone's on board? Great. Now it's time to take a look at what personally identifiable information (PII) is collected and why. Where is it stored and how is it used? Take an in-depth audit now. Is PII transferred across borders? Who is it shared with and why?
Operational implementation
It's time to build and customise the company's processes and incident response process (which must happen within 72 hours under GDPR). The DPO should also assess the company's third-party vendor risks at this time. Be thorough.
Awareness and training (repeat)
Build new specifics into the company's new-hire training, but don't forget about ongoing technical training for senior staff. Make annual security training mandatory and brief executive leadership on new GDPR/POPIA readiness.
Continuous compliance, detailed mapping and auditing of the "why" and "how" of the customer's PII and data, and setting up a strong privacy team with a DPO who knows the importance of getting buy-in from the board, will keep the company compliant.
Do not forget that policies are merely a start; yes, a great start, but implementation of these policies will only be achieved through ongoing monitoring. The latter is crucial to success.
Most of this can be outsourced. Policy is the starting point, action is compliance. As case law evolves, it is imperative for companies to ensure they have done everything in their power to be compliant and to use data privacy functions as a competitive edge.
Share