The General Data Protection Regulations (GDPR) set forth by the European Union comes into effect later this month and companies have been scurrying to ensure they are compliant.
The GDPR places restrictions and adds regulations to how the data of EU citizens is stored, used and collected, which has consequences for South African businesses.
Any company that collects data from an EU citizen will have to comply with the regulations. So if you are a small company collecting email addresses for a newsletter, for example, it’s best to comply with the GDPR just in case an EU citizen wants to know more about your company.
Not complying with GDPR can result in massive fines being leveraged against your firm.
“GDPR is one of the biggest shake-ups ever seen affecting how data relating to an individual should be handled – and many African organisations that process the personal data of individuals who are based in the EU are not yet ready for it. Time is running out for them to get their houses in order and there are serious implications if you are a business not taking this seriously,” executive vice president for Sage in the Middle East and Africa, Pieter Bensch says.
While this sounds like a massive undertaking, a legal battle with the EU could be just as time-consuming. So in a bid to help businesses prepare for the 25th May when GDPR goes live, Bensch has a few tips.
Step one – Get informed
“The first step towards complying with the GDPR is to understand the new demands the regulation places on how your business collects, manages and stores the personal data of European citizens and residents,” explains Bensch.
A good place to start that understanding is the EU GDPR Portal. There you can find a wealth of information about the key changes to data protection acts, the scope of the regulations and more.
Step two – Audit data collection practices
Why does your company collect data? What is that data used for? Do you already have data that doesn’t comply with GDPR?
These questions are vital for a business to ask because European citizens would need to be informed about your data collection practices.
Some important questions to ask while auditing data collection practices include:
- Do you have processes in place to enable people to move, copy or transfer their personal data from your organisation to another, as it is their right under GDPR?
- Do your processes live up to the GDPR expectation of “privacy from start to finish”. That is from the first contact with your company to the end of the relationship?
- Do you have a process in place to tell regulators and customers of a breach within 72 hours of becoming aware of it?
- Are your business partners and suppliers with access to your data about European users aware of the requirements of GDPR?
- Can you prove your compliance with GDPR if necessary?
Step three – Review how you get consent
A user giving explicit consent to receive email blasts or even simple communications is a core pillar of GDPR and one local firms should take note of.
Once GDPR comes into play users will have to give firms explicit consent to contact them.
“If you are still treating silence as consent, or using pre-ticked consent boxes on your websites, you will need to review your processes,” explains Bensch.
In the build up to GDPR going live later this month we’ve seen a number of big names in the tech space updating their privacy policies. This isn’t just a good thing to do, it’s a requirement and Bensch explains any data collected from EU residents/citizens will need to be treated differently.
“You will need to update your privacy notices to provide the additional information required by the GDPR, and you may well need to relook the portions of any contracts with EU residents and citizens that deal with their data rights,” says the Sage executive vice president.
Step five – GDPR compliance is everybody’s problem
The GDPR makes data protection everybody’s job. Companies should take time to train employees in best practice when it comes to handling data. This is also true for third parties employed to process data on a company’s behalf.
Step six – Time to get a data protection officer
Companies that process a large amount of personal or sensitive data will need to employ a data protection officer that has a deep understanding and knowledge of data protection laws. A similar provision is present in the Protection of Personal Information (POPI) act locally.
This means that South African firms could prepare for POPI while complying with GDPR.
“Laws like POPI in South Africa also expect companies to have an information officer – it makes sense for the same person to hold both roles,” says Bensch.
The GDPR comes into effect globally on 25th May.
[Image – CC 0 Pixabay]