General Data Protection Regulation or more commonly know as the GDPR has come into effect and there are still many people in South Africa who have turned a blind eye to it and don’t realize that they will need to comply. It is not just the EU!
So how will the GDPR effect South African businesses?
Just because you don’t live in a European Country doesn’t mean you can ignore the GDPR. You have to think about the reach of your business or any businesses that you deal with.
Any business that provides a service in the EU has to comply, regardless of whether the service provider has a presence in the EU or the recipient of the service is a EU citizen.
It also stops European organisations from sending data to other countries unless they are sure that GDPR equivalent data protection laws are in place.
And in today’s hyper-connected world, you could very well be doing business with someone in Europe one day.
What does this regulation protect?
GDPR puts you at the center of data protection, giving you the right to know how you personal data is being used, stored, protected, transferred and deleted, as well as the right to be forgotten.
It governs how businesses can collect, process and store information that could lead to the identification of an individual, including names, ID numbers and even IP addresses and location data.
The good news:
- Although GDPR introduces strict compliance requirements, the basic rules for data protection remain the same. This means that compliance won’t require businesses to build something from scratch but rather calls for a revision of existing compliance procedures.
- Anytime a business works to improve processes and procedures, certain benefits naturally accrue. Becoming compliant with GDPR presents businesses with a number of opportunities, including Improved data governance, which will drive business efficiency.
- Other benefits cited included improved business reputation (30%), improved customer satisfaction (29%), and a boost in the organisation’s external value proposition (29%).
- The word ‘general’ in GDPR implies that there is some room for interpretation of the law. This makes it difficult for businesses to know what “good” looks like and if the actions they’ve taken to comply are sufficient – a challenge cited by 20% of respondents.
- It is difficult to establish an inventory of what data is being collected, used and stored across an organisation. Data needs to be identified and catalogued all while maintaining a record of the data lineage. This is an enormous task that cannot be done manually.
- Security will also become a crucial focus area for any business dealing with personal data. All organisations will need to protect their networks against breaches and have systems in place to inform affected individuals and authorities if data is compromised.
There are very hefty penalties for not complying, you can imagine the zeros added when convert it into Rands. 20 million Euros or 4% of your annual turnover, whichever is higher.
Four questions determine whether the GDPR applies to your business:
- When an organisation is incorporated in Europe, that entity has to comply with all European laws, including the GDPR.
- If an organisation is active in Europe through a ‘stable arrangement’ in the EU, the GDPR will apply.
- If the SA business is not established in Europe under questions 1 and 2, the GDPR may still apply if it offers goods or services to individuals while they are in the EU.
- Lastly, and perhaps most importantly for digital marketers, the GDPR will apply to a South African business if it is monitoring the behavior of individuals while they are in the EU.