A new data privacy and protection framework called the General Data Protection Regulation (GDPR) will come into effect across the European Union on 25 May this year – and it will change the game for African businesses, too. If your business based in Africa handles personal data about European residents and citizens, you will be expected to comply, even if you do not have a direct presence in Europe.
The law affects just about every organisation in Africa that processes the personal data of individuals who are based in Europe.
If your company offers goods or services to individuals in the European Union (EU) or monitors their behavious there, it will most likely need to comply. If you sell African fashion to European residents via an e-commerce website, you will need to review your processes and systems around managing and processing personal data, for example.
Business-to-business companies will also be affected. For instance, if you provide software development or call centre offshoring services to European companies, they will expect to you to comply with the GDPR because the regulation puts an onus on organisations to ensure their third-party suppliers handling personal data are compliant.
The GDPR sets out the minimum requirements for the treatment of all personal data. Personal data can be defined as any data identifying or relating to an individual, including things like physical appearance, biometric data, an individual’s record on a customer relationship management system, or even something as simple as website tracking data collected via cookies.
Some key elements of the GDPR include:
If you collect data based on the consent of individuals, EU data protection legislation has always required this consent to be freely given, specific and informed. With the GDPR, this has to be confirmed by a statement or other clear affirmative action. In other words, pre-ticked consent boxes on websites, or silence/inactivity on behalf of the individual after reviewing a privacy statement, will not constitute consent.
Right to move or transfer personal data (data portability)
Under the GDPR, individuals have the right to have automated personal data provided to you on the basis of: (i) consent; or (ii) contract returned to them or sent direct to another company, even a competitor, in a structured, commonly-used and machine-readable format. For example, a playlist might be generated for a user by a music service, and should they switch to a new provider, they can take this with them.
Proof of compliance
Under the GDPR, organisations should keep records about processing activities, subject access requests, breaches, how consents are obtained, and Privacy Impact Assessments. With regard to keeping records of processing activities, there is an exemption for smaller companies (less than 250 employees) where the processing is unlikely to result in a risk to data subjects, the processing is not occasional, or the processing does not involve sensitive data or data relating to criminal convictions and offence personal data such as information on health, religion or sexual orientation.
Privacy from start to finish
Companies need to put in place technical and organisational measures throughout the lifetime of the personal data to match the privacy expectations of the individual – from the first contact with the company, throughout his or her interactions and transactions with the business, up to the end of the individual’s relationship with the company.
Mandatory breach reporting
In the event of a breach of the GDPR, companies collecting personal data must tell the relevant local supervisory authority within 72 hours of becoming aware. If the breach poses a high risk to the people concerned, companies must also notify them without undue delay.
Data Protection Officer (DPO)
According to the GDPR, organisations processing large amounts of personal information or particularly sensitive personal information should have a data protection officer. The DPO needs to have expert knowledge of data protection law – he or she could be an employee or a third-party service provider.
A regulation with teeth
Getting ready for the GDPR will demand hard work. It will involve continuous training, undertaking regular audits, minimising the data collected, restricting access to personal data on a need-to-know basis, and implementing appropriate technical and organisational security measures such as pseudonymisation and encryption.
The penalties for non-compliance with the GDPR are tough and could be up to 4% of annual global turnover, or €20m, whichever is greater. You might be fined even if there is no actual loss of data. Though it might seem hard in practice for the EU’s regulators to sanction African organisations with no assets in Europe, non-compliance could harm a company’s reputation and its ability to do business in the EU.
What’s more, the GDPR will set a new pace for global data protection and privacy regulation, so compliance will help prepare your company for the future. Since the EU is a major trading partner for most African countries, many governments look to EU regulation for best practices. The GDPR already has some significant overlaps with laws such as South Africa’s Protection of Personal Information Act.
African organisations who are already in compliance with these local laws will have a head start in preparing for the GDPR. Everyone else should start looking at revamping their personal data protection and privacy processes and systems to prepare for a world where stricter regulation of how organisations use personal data is the new norm.
By Pieter Bensch, Executive Vice President, Africa & Middle East: Sage