GDPR or POPI?
Why should South African businesses care about a piece of data privacy legislation that's due to be passed next year in EU countries?
This was the topic under discussion at a roundtable hosted by Forcepoint recently. Attendees were taken through data privacy regulation by an IT law consultant, Professor David Taylor, who provided insight into the way forward for South African businesses.
The European Union's General Data Protection Regulation (GDPR) will come into effect in May 2018. It requires organisations to place a much stricter focus on data protection. Closer to home we have the Protection of Personal Information Act, or POPI, which also regulates the processing of personal information.
South African businesses can be forgiven for not knowing which legislation to comply with but, according to Professor Taylor, the answer is simple. "If your business data is going to or coming from an EU country, you have to comply with GDPR, so it makes sense to comply with that standard as by doing so, you'll be covered for POPI too."
Professor Taylor explains: "In South Africa, legislation is often enacted in response to an event, whereas European countries use legislation to give themselves a competitive advantage. The result of this is that European privacy law is now the accepted standard and has been implemented by countries around the world.
"When deciding which legislation to comply with, you have to ask yourself, who calls the shots in the information age, South Africa or Europe? It then becomes clear which regulations you have to align your business with. As long as 20 years ago a law was passed that businesses can't send information to another country unless that country has a proper privacy law in place, which is why we now have POPI. Europe wouldn't send us their data without it. If your business is participating in the global economy, it has to comply with certain rules and regulations."
Christo van Staden, Forcepoint Regional Manager for Sub-Saharan Africa, agrees: "Some people mistakenly believe that data can only be in the cloud if the data centre or servers are in South Africa. The law does not require this. Focusing on the physical location of data can lead you down the wrong path. A simple example is when an executive travels to the EU and accesses his computer e-mails, reports, databases then does it matter where the data physically sits? Rather look at complying with the GDPR by focusing on data flow, use and movement. You would do this through the whole life cycle from creation to destruction. This way wherever the data physically sits or where it flows, it's protected. Of course making good decisions about who your cloud service provider is, what contracts you have with them and so on is still important. But that is not your starting point. Your starting point should be what best helps the business meet its objectives and strategies."
These laws state that you have to have appropriate data privacy measures in place, and while those measures may vary, there's a baseline they must adhere to. One of biggest changes, according to Professor Taylor, is that they are focusing increasingly on a risk-based approach, where the business needs to assess its own risk. He says: "My advice would be for an organisation that processes personal information to appoint a data privacy officer.
Businesses are going to have to take more responsibility for their behaviour and there's no silver bullet solution, you can't buy compliance, you need to do it. It's going to require legal, organisational and technical measures and there are no short cuts.
"There are two ways that you can see this: either data privacy is just another compliancy issue, and you do what you need to in order to protect your business against legal action; or you realise that your business needs legislation like GDPR and POPI in order to survive and even thrive. Obviously the latter is the stronger of the two approaches," concludes Professor Taylor.