GDPR – Ready… Steady… Deadline May 2018
We applaud those organisations who are vigorously preparing for POPI, and urge you to raise your head out of the trenches for a moment, and if you haven’t done so, take note of GDPR!
Whilst many organisations in South Africa have taken a tardy approach to POPI (mostly due to the dragging effective date), we do not have that luxury when it comes to the GDPR. If you process personal information, you may still have time, depending on who your data subjects are…. but read on. You may be in for a rude awakening!
‘GDPR is being called “a revolution,” “a paradigm change” and “a ticking time bomb.” Such language suggests that it’s going to have a forceful impact and, for the unprepared, a potentially destructive outcome. The GDPR is the most sweeping revision to European privacy and data protection legislation ever.’ (Tim Walters, Ph.D.)
It is important to note that the legal reach of the GDPR (General Data Protection Regulation) is not defined by geography but by the use of the personal data of European residents. That means that it applies to any organization, located anywhere in the world that either “offers goods and services” to European residents or “monitors their behavior”.
Does GDPR affect your organization?
Do you deal with European (including UK) residents? If yes – read on.
It is important to note that the legal reach of the GDPR (General Data Protection Regulation) is not defined by geography but by the use of the personal data of European residents.
That means that it applies to any organization, located anywhere in the world that either “offers goods and services” to European residents or “monitors their behavior”.
What is the penalty for non-compliance?
20 Million Euro or 4 % of Annual Global turnover – whichever is the highest! Comparatively, the POPI R10 million fine suddenly looks like small-change.
Need to see the Regulations?
You can access and/or download both the POPI Act and it’s regulations, as well as the GDPR regulations on our website.
- If you deal with the data of any EU citizens, whether as clients, as staff, or as their processor (or operator in POPI language), you have to be GDPR compliant. (The exact wording in the Act says: “Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.”)
- The Act refers to ‘any’ data, processed by ‘any’ means. That means automated, manual, or physical paper.
- The GDPR is written assuming a Risk-based approach, rather than a rules-based approach. This, by implication, means that our measurement of our own readiness becomes paramount.
Key Provisions of the GDPR:
What is personal data?
The GDPR defines personal data as anything that can be used to identify an individual either directly or when combined with other information. The regulation specifically includes identifiers provided by digital devices and applications, such as IP addresses, browser cookies identifiers, and device IDs.
Organisations are required to balance their legitimate interests against the “fundamental rights and freedoms” of the consumer.
New obligations for partners that process data.
The change that GDPR brings, is that it extends responsibility for compliance to Processors. Each of these relationships must be very carefully planned, monitored, and governed in order to ensure joint compliance with the GDPR.
The right to “erasure” and data portability.
The GDPR indicates that individuals have the right to be forgotten. Individuals “should have control of their own personal data.” The GDPR allows any individual to contact any organization and request that their data should be: 1) rectified, 2) erased, 3) transferred to another organisation (in an “easily machine readable format”). These requests must be complied with in a “reasonable” amount of time.
The GDPR requires that consent must be “freely given, specific, informed, and unambiguous.” “Specific” means that the consent request must state for what precise purpose the data is being collected; if more than one purpose is planned, the individual must be given “granular” choice – that is, the ability to consent to one purpose but not others. The consent request must be “concise, transparent, and intelligible”. I have seen many companies go for an ‘all-encompassing’ consent clause, which pretty much forces the Data Subject into consenting all his/her rights away. The GDPR makes these clauses obsolete.
“Accountability” is the most powerful obligation that the GDPR lays on affected firms. It is simply not enough to follow the letter of the law. Rather, companies must be able to demonstrate that, in their policies, processes, and behaviors, they embrace and embody the core principles concerning privacy and personal data protection that the GDPR advocates.
Do not underestimate the impact of GDPR. If you are impacted, you have to act now! Give us a call to help you with a quick impact assessment, training, or assistance with implementation.