More than a few people are complaining about the dozens of emails that they received over this last week, informing them that international companies are updating their privacy policies and asking users to verify information due to the General Data Protection Regulation (GDPR) taking effect in the European Union.
While it is easy to dismiss them, the emails actually point to a very comprehensive legislative instrument which applies to the personal data of all European Union citizens and has far reaching implications for everyone that processes their data, explains Verlie Oosthuizen, head of Social Media Law at Shepstone Wylie.
“The legislation does not often apply to countries or companies that are not based in the place where the law is in force, however with the GDPR, any company that offers goods and services to EU citizens (or monitors their activity through applications) will have to be compliant with the Regulation,” she said.
“The requirements for compliance with the GDPR are quite onerous and detailed. It is also expensive to implement the necessary systems.
“It is more challenging in South Africa as we do not have current data protection legislation in place and so companies do not have a sophisticated culture of data protection compliance. Although the Protection of Personal Information Act (POPIA) has been passed it is not fully operational and compliance is not yet necessary.”
Unfortunately, non-compliance with data protection provisions can lead to nasty fines in terms of the GDPR, Oosthuizen cautioned.
“The protection of personal data has become increasingly important with the development of the digital age and online activity and data breaches do occur. When an EU citizen’s data is compromised they may report it to the EU authorities who would investigate and possibly fine the South African company in Euros.”
She added that the initial fine could be in the region of 10 million Euros (R146 million) – an amount which would cripple most companies.
“The issue of enforcement of the GDPR in South Africa is up for debate as one may ask how the fine would be collected but even receiving a notice of a fine of 10 million Euros in the post would be terrifying for any SA company,” she said.
“If you think your company may need to comply with the GDPR then you must take steps without delay to start compliance processes.”