Today, the General Data Protection Regulation (GDPR) will come into effect and it will change the manner in which companies are allowed to use (collect, process and store) people’s information. This includes people’s names, ID numbers, IP addresses, email-addresses, location data, and internet browsing habits collected by website cookies.
In recent years we have witnessed how people’s information has been easily accessed and used, sometimes for the wrong reasons; sales representatives calling without you having ever given them your numbers, random SMSs offering deals for certain products, or leaked conversations of public figures. Many people have dealt – and continue to deal with – this problem.
At the heart of GDPR is the right for individuals to know how their personal information is being used by the companies that are in possession of it.
How does it impact South African businesses?
Plenty of people assume that just because this policy is European, it will not affect their local businesses. That is incorrect.
The reality is that if your business transacts with (sells products or services currently or previously) any of the 27 European countries, has a presence in any of them, or even just stores the information of any EU citizen, then GDPR affects you, too.
This means that local businesses need to ensure that they understand how GDPR affects their businesses, the potential risks of being non-compliant, and work towards becoming compliant.
According to an article on the South Africa PwC website, “EU companies that deal with SA can only do so if … the SA companies can satisfy their EU partner that they have adequate rules and policies in place regarding data protection.”
This simply translates to a loss of business in the event that your company is not compliant.
Here is a list of the ten principles that make up the GDPR policy:
Clear and explicit consent must be asked from the data subject from which the data is being collected. Once collected, this consent must be documented, and the data subject is allowed to withdraw their consent at any moment.
- Breach notification
Companies must maintain a Personal Data Breach Register and, based on severity, the regulator and data subject should be informed within 72 hours of identifying the breach.
- Right to access
The data subjects have the right to ask companies what information they have about them, and what they do with it. In addition, individuals have the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data.
- Right to be forgotten
Under the GDPR, companies must erase all personal data when asked to do so by the data subject. At that point, the company will cease further dissemination of the data, and halt all processing.
- Data portability
Companies are required to provide mechanisms for a data subject to receive any previously provided personal data in a commonly used and machine-readable format. Under this provision, the data subject also has the right to request the company transmit the data to another processor, free of charge.
- Privacy by Design
Companies can process only the data absolutely necessary for the completion of their business and limit access to personal data to only those employees needing the information to complete the processes consented to by the data subject.
- Data Protection Officers
Companies dealing with the collection, processing and storing of data have to hire a Data Protection Officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse, unauthorised access, and other security breaches.
Punishing fines for data misuse and breaches can reach R299 150 249,80 (£18million) or 4% of the company’s global annual turnover.
- Awareness and Training
Companies must create awareness among employees about key GDPR requirements and conduct regular training to ensure that employees remain aware of their responsibilities with regard to the protection of personal data.
- Data Protection Impact assessment
To estimate the impact of changes or new actions, a Data Protection Impact Assessment should be conducted when initiating a new project, change, or product.