By Daniel Mpala
Tech companies and startups that do business with the EU or EU citizens and fall foul of new data privacy regulation face a maximum fine of up to €20-million or four percent of their annual turnover.
The EU’s General Data Protection Regulation (GDPR), which will come into force on 25 May, aims to protect and empower EU citizens’ data privacy and will affect all companies — including South African and African startups — that do business with EU citizens.
Startups processing personal data of EU citizens — even if that is being done outside the EU — will be affected.
Included among the provisions of the regulations are that organisations will have to report any breaches of data within 72 hours to the responsible regulator, wherever the breech occurred and the subjects reside.
SwiftTechLaw technology attorney Russel Luck says SA companies must ensure that their data practices are in line with GDPR if they’re engaging with European businesses or transacting within digital spaces affected by the GDPR.
Luck adds that in light of Facebook’s Cambridge Analytica scandal, the public and enforcement organisations will be scrutinising information processing practices to ensure compliance.
How then should startups go about preparing for GDPR compliance?
Advises Luck: “Look at the definition of ‘processing’ and ‘personal information’ and take note that your company will be processing personal information”.
He adds that it is crucial that companies map out the most significant ways in which they process personal information within the organisation as well as externally.
“HR departments usually process a lot of personal information such as names, ID numbers, bank accounts and more. Destroy info immediately that isn’t relevant,” he says.
As a general point, he says, companies should ensure that they comply with generally accepted information security standards such as ISO and IEC standards.
An example of these is the International Organisation for Standarisation’s ISO/IEC 27000 family of over a dozen standards aimed at keeping information assets secure.
‘POPI to commence later this year’
In 2013 South Africa enacted its own data protection law, the Protection of Personal Information Act (POPI). Compliance to the act is enforced and monitored by the Information Regulator (South Africa).
Though the act was signed off by President Jacob Zuma in 2013, none of the provision of the act have yet come into effect — as a commencement date had yet to be set.
However, Luck believes organisations should by now have already already taken active steps to become compliant with the act and adds that certain preliminary provisions under the act are already in force.
He says POPI requires what is “reasonably practicable” to bring personal information processing activities in line with the act.
In a phone call with Ventureburn today, Information Regulator chairperson Pansy Tlakula said the agency is working on having the act commence by the end of the year.
“Commencement depends on the regulator being fully set up,” said Tlakula. She explained that the regulatory agency’s organisational structure and issues around staffing have still to be finalised.
Do the two — POPI and GDPR — then overlap? Will compliance with POPI cover GDPR as well?
Tlakula says the regulator hasn’t done proper analysis of the differences or similarities between the two yet, but adds that there is need to be aware that GDPR is an “international standard”.
But Luck says if firms comply with POPI, they will meet the minimum necessary to comply with the GDPR — if not surpass the GDPR’s protective measures.
“In terms of POPI’s S3 (2) (b) where more than one piece of privacy legislation is applicable to a certain activity, the legislation that imposes the greater threshold of privacy standards will apply,” says Luck.