What SA businesses should do differently in light of GDPR
The General Data Protection Regulation (GDPR), a European Union (EU) initiative that came into force on 25 May this year, has introduced far-reaching changes to data protection legislation across the globe.
If they have not already started, it is essential that South African businesses begin to take steps towards compliance.
"The GDPR will affect all South African businesses that process the personal information of individuals located in the EU," says Karl Blom, associate at Webber Wentzel. "As a consequence, where South African businesses seek to advertise or make their services available in the EU, they will need to ensure that they're able to comply with the obligations set out in the GDPR as they will be liable for penalties and other sanctions under the regulation, in the event that they are found to be non-compliant by a regulator with jurisdiction."
Blom will be speaking at ITWeb's GDPR Update, to be held on 7 November at The Forum in Bryanston. He will outline what GDPR means for South African businesses and what they should be doing to ensure compliance.
He says the penalties under the GDPR can be significant, up to 4% of a company's global revenue or EUR20 million, whichever is greater.
Blom says from the outset, South African businesses will need to identify all personal information that they process that belongs to EU citizens. This will typically require a comprehensive data inventory or mapping data flows in and out of the business.
Once these records have been identified, the business will need to ensure it is GDPR compliant in its processing of the personal information of EU data subjects.
Moreover, he says South African businesses that process the data of persons in the EU, will need to ensure that their compliance programmes are adjusted to align with changes to the GDPR such as case law developments, to ensure that they remain compliant.
However, Blom says a large number of the GDPR's obligations are also found in South Africa's Protection of Personal Information Act (POPIA).
"In fact, POPIA's provisions are more onerous in some respects, including, for example, the processing of personal information pertaining to juristic or artificial persons such as companies
and close corporations."
For this reason, he suggests that a sensible approach to GDPR compliance would be to
augment an existing POPIA compliance programme to accommodate the unique requirements of
Delegates attending Blom's talk will receive a guide to determine whether the GDPR is applicable to their business, as well as practical tips on managing their GDPR compliance programme.