Thursday, 24 May 2018

General Data Protection Regulation (GDPR) and POPIA

In case you have been under a rock, or out since the 90’s, after years of preparation and debate, the General Data Protection Regulation(GDPR), which was passed by the EU Parliament in April 2016, comes into full force and effect from 25 May 2018.

What does this mean for South African businesses? Short answer: the GDPR is only relevantif a business processes the personal information of an EU resident.  

Does a South African business that is compliant with the Protection of Personal Information Act (POPIA) need to do anything different to comply with the GDPR?  Yes – but potentially not too much.  As others have noted, POPIA and GDPR are different shades of the same colour – in basic terms, they both attempt to achieve the same thing.

Key with POPIA and GDPR is on-going compliance and having privacy as a core concern.  Compliance is not a once off exercise or a static target and will be an on-going process.

As with all forms of data protection laws, POPIA and the GDPR require opt-inconsent: an expression of will to indicate that the person agrees with his/her data being processed.  In the past, businesses relied on an “opt-out” (tell us to stop if it annoys you, but we will use your information as we please) – this is no longer the case, although communication should still include some form of opt-out mechanism, even after express consent. Further, it must be clear why data is being collected; how it is being collected; why it is being processed; how long it is retained; and finally, if and how it is being shared with other parties.  

In any business – from small to listed entity – documented policies must exist setting out how personal information is collected, processed and used.  This is not rocket science.  But it takes some preparation, thought and plenty administration…