South African companies doing business with European Union (EU) customers need to consider making changes to their data privacy, technology and oversight processes in the wake of new privacy rules. On 25 May 2018 new privacy rules formed by the EU will be implemented. The General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC.
The new rules will apply to the ‘processing’ of ‘personal data’ by “controllers” and “processors” based in the EU, as well as those located outside of the EU if they provide services and goods to EU customers. The GDPR will also apply to all organisations processing and holding personal data.
Busisiwe Mathe, Risk Assurance Cyber and Privacy leader, PwC Southern Africa says that the GDPR will impact many South African and other organisations across the African continent. Businesses that do not comply with the GDPR face a potential fine of up to 4% of global revenues, increasing the need for organisations to plan for and implement necessary changes to demonstrate good in the eyes of individuals and regulators.
South African organisations are awaiting the Protection of Personal Information Act (POPIA). The POPIA is likely to be fully enacted in South Africa in early 2019 and comments on POPIA draft regulations closed on 7 November 2017.
Once POPIA is fully enacted, responsible parties and operators in South Africa, processing personal information will have to comply with POPIA as well as potentially having to comply with the GDPR. The GDPR was introduced by the EU more than a year ago and organisations have been given less than two years to comply with them.
POPIA is South Africa’s first piece of comprehensive data protection legislation. It aims to give effect to the constitutional right to privacy by introducing measures whereby personal information processed by organisations is fair, responsible and conducted in a secure manner.
Compliance with POPIA will be a challenge for many organisations. The POPIA compliance journey will require organisations to consider many features within their organisation and strategic vision. The GDPR and POPIA have many commonalities but also a number of differences, one of the most significant being that POPIA includes “juristic” (business) entities in the definition of personal information – this will significantly increase the scope of personal information and provide additional challenges to comply with POPIA.
After May next year, EU companies that deal with SA can only do so if POPIA is in place, or if the SA companies can satisfy their EU partner, that they have adequate rules and policies in place regarding data protection.
Organisations will have to provide clarity on how customer data is collected and stored. Any breaches of data must be communicated within 72 hours to the responsible regulator, wherever the breech occurred and the subjects reside.