Towards the end of May 2018 did you receive a surprisingly large amount of emails informing you of new privacy policies from websites and service providers that communicate with you and store your data? Companies have had over two years to comply with GDPR, yet the flurry of activity, particularly on 24 May 2018, indicates that most left it until the last minute. From blocking EU website visitors to temporary server shutdowns to completely withdrawing services to the EU the implementation of the GDPR has had a major effect.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA (Wikipedia). It became effective on 25 May 2018.
Similar to our Protection of Personal Information Act (POPIA), the GDPR makes organisations accountable for personal data protection. It governs the handling, collection, processing and storage of information that could lead to the identification of an individual. Information includes, but is not limited to names, ID numbers, location data and IP addresses and the data owner has the right to revoke any permission given at any time.
If you are a South African company and you sell products, services or process personal data of EU citizens the GDPR applies to you. A key consideration to determine your level of responsibility is whether you are a controller or processor of data – controllers do hold more liability for compliance.
The bad news
Failure to comply with the GDPR can result in a fine of 4% of a company’s global revenue or €20m, whichever is greater. In comparison, failure to comply with POPIA has a maximum fine of R10m. The reason for this vast difference is that the GDPR requirements are much more extensive and demanding.
Businesses whose core activities involve regular or organised processing of personal data will need to employ a Data Protection Officer (DPO) who is responsible for managing GDPR compliance.
If your organisation needs to comply with GDPR you will need to perform an evaluation of all existing contracts whether directly or via third-party providers to ensure they are updated with the new requirements.
A major challenge is the need to establish a record of what data is being stored and used. A detailed inventory is required while at the same time ensuring a full audit trail is maintained. Data subjects now have the right to request and obtain a large amount of information including the data source, storage period, recipient disclosure and they also have the ability to lodge a complaint.
Privacy campaigner and lawyer Max Schrems, founder of the non-profit organisation NOYB wasted no time in filing complaints against Google, Facebook, WhatsApp and Instagram. The allegations are for forcing users to agree to new privacy policies which are in violation of the GDPR. These complaints could result in fines of up to €7bn if successful.
The good news
Risk management will need to become far more involved with regard to what type of data your company currently collects and stores including cloud storage and mobile devices. Even though this may become a complex environment to navigate it can only improve your knowledge of what risks are involved and how your control environment is being monitored.
From a governance perspective board members also need to take accountability for ensuring that data protection risks receive the relevant and continued attention by senior management.
Companies are required to inform any affected parties about any data breach and tell the relevant data protection authority within 72 hours of occurrence.
Risk awareness, governance, compliance and transparency all get a welcome boost in visibility. Compliance with the GDPR does not need to be onerous as those companies that already have a history of good data management would not require much more work to become GDPR compliant. Responsible handling of personal data is of utmost importance.
Tips to consider when assessing your compliance
- Perform a data audit. What do you have, how is it stored and how could it be deleted when required?
- Relook at your opt-in/opt-out process. Specific permissions are needed per data type and ongoing monitoring will be necessary.
- Controller or Processor of data? This will determine your level of liability and can indicate whether you will need to appoint a DPO.
- Education. The board and senior management need to be educated on the potential liability if non-compliance occurs.
- What to do if a breach occurs? If there is a data breach what policies and procedures do you have to detect and report?
The European Commission has provided a large amount of information to assist both organisations who need to comply and the rights of EU citizens – click here for more detail. For an excellent infographic on how GDPR affects SMEs click here.
With thanks to the European Commission, Wikipedia and Michalsons law firm for information contained in this article.
Author – Warrick Asher