The GDPR was designed to harmonise privacy laws across Europe. The biggest change comes with the extended jurisdiction of the GDPR as it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company's location. Those organisations in non-compliance will face heavy fines of up to 4% on global turnover or 20 million euros – whichever is greater.
ITWeb Events spoke to tech and legal expert Nerushka Bowan about the implications of the GDPR, as well as the similarities and differences between GDPR and POPIA. Bowan will be presenting at the upcoming ITWeb POPI Update II, at Summer Place, Hyde Park, on 21 November 2017.
ITWeb Events: You are presenting on the similarities and differences between POPIA and GDPR – why does the SA market need to have a solid understanding of both? What are the implications of not understanding both?
Bowan: The GDPR has extra-territorial application, which means that some South African organisations may need to comply with the GDPR. These include organisations which deliver goods or services (not necessarily for money) to data subjects in the EU or monitor data subjects in the EU. If you do need to comply with the GDPR, the deadline is 25 May 2018. Non-compliance with the GDPR can result in fines of up to 20 million euros or 4% of global turnover, whichever is higher.
All organisations based in South Africa will need to comply with POPIA. We do not have a deadline yet for The Protection of Personal Information Act (POPIA), but the Information Regulator was appointed on 1 December 2016 and regulations were published for comment on 8 September 2017 and open for public comment until 7 November 2017. Non-compliance with POPIA can result in fines of up to R10 million.
Organisations that comply with the GDPR now will have a small gap to close for POPIA compliance.
ITWeb Events: What are the three key factors to consider when discussing the GDPR for SA organisations?
- Being GDPR compliant assists in doing business with companies in the EU as they will be more at ease sharing information with you.
- The GDPR places more obligations on data processors as compared to operators in POPIA.
- The EU is seen as a leading jurisdiction for data privacy legislation and often looked to for guidance on best practices.
ITWeb Events: For organisations that retain large quantities of personal data – what should their first action be?
Bowan: Organisations should first determine whether the GDPR applies. Then they need to map out their data flows i.e. how does it enter the organisation; where is stored; who uses it; who is it shared with; how is it destroyed and so forth.
After which the organisation needs to identify whether they process high risk data, for example, large quantities of sensitive health data (this may require additional obligations, for example, appointing a representative within the EU and conducting a privacy impact assessment), and then map out the low, medium and high risk areas that need to be mitigated against to build your project plan of action items. For example, it may be a high risk that your service providers do not have GDPR compliant agreements in place, but that can be mitigated by negotiating new compliant amendments to the agreements.
Another very important early step is awareness and education in the organisation. It is great to have policies and contracts in place, but if your employees are not aware of what their obligations are, they become the biggest risk of non-compliance or a data breach.
ITWeb Events: What is the first question that most clients ask when engaging you in conversation on this subject?
Compliance with data privacy laws require a project plan, taking positions on tough questions, ensuring your service providers are compliant, ensuring your employees are aware and educated about their obligations, buy-in from management, introduction of new or amended processes, introduction of new or amended policies, documents and contracts and enhanced data security.
Even after implementation, compliance will be ongoing. That is why the laws require an Information Officer to be appointed to ensure compliance during and after implementation.
ITWeb Events: Why did you say yes to presenting at the upcoming POPI Update II? What is it that you bring to the table and what do you want attendees to take away with them after your presentation?
Bowan: Everyone needs to comply with data privacy (whether GDPR or POPIA) and the more aware organisations are about their compliance obligations, the easier it will become for them to reach their compliance goals. I would like the audience to be able to walk away informed and armed with practical next steps.