media update’s Aisling McCarthy looks at the EU’s GDPR, and how this will affect businesses in South Africa.

What is the GDPR?

The GDPR is a legal framework that sets the guidelines for the collection and processing of personal information from people living within the EU.

It sets out principles for data management, based on protecting the rights of individuals. Companies who don’t comply with these rules, from Friday, 25 May, can expect hefty fines – up to four percent of their global annual revenue, in certain cases.

Facebook’s Business Page says that the GDPR covers how a company processes data.

“Processing is defined broadly and refers to anything related to personal data, including how a company handles and manages data, such as collecting, storing, using and destroying data.”

Facebook says that not only are the new regulations are largely built on the current EU data protection guidelines, but that the GDPR has “a wider scope, more prescriptive standards and substantial fines.”

For example, the GDPR requires a higher standard of consent when using certain types of data. Think way more in-depth terms and conditions. No more skimming and just clicking “accept”. Yes – that means YOU.

Who will the GDPR affect?

The GDPR will not only affect European businesses but any business that processes personal data from citizens of the EU.

‘Personal data’ is considered as well as any information that could be used on its own, or in conjunction with other data, to identify an individual.

To know if you’ll be affected, ask yourself:

  • Does your business that collects, stores or shares ‘identifying’ data on EU citizens. If your hand is up, you’ll be affected.
  • Is your business located outside of the EU? Doesn’t matter – you’ll still be affected.
  • Does your data processing happen outside of the EU? Either way – the GDPR will affect you.
  • Do you get your data on EU citizen from third parties? Bad news – you will be affected.

What does the GDPR mean for South African businesses?

Right now, most South Africa businesses are more focused on the imminent Protection of Personal Information Act 4 of 2013 (aka POPI). POPI’s objectives are to regulate the processing of personal information and data protection in an effort to ensure South African data protection laws align with the international standards. Sound familiar?

For the most part, GDPR and POPI have the same aim. However, that doesn’t mean that POPI-compliant businesses are safe from the GDPR just yet.

Ross Saunders, director of global services at Curra Software Solutions, says that South African businesses need to prepare themselves.

“Considering the EU is one of South Africa’s biggest trade partners, South African businesses will have to be cognisant of this data protection law, in addition to the POPI Act.”

He continues, “That being said, the GDPR and POPI Act are relatively similar in their application, with numerous overlaps. This is good news for companies who comply with the POPI Act. They won’t need to start again, but certain changes will have to be made to ensure compliance.”

Do you need to prepare your business? It’s a yes if you:

  • process data of an EU member state citizen or temporary resident
  • have employees based in an EU member state
  • offer goods and/or services in an EU member state, or
  • have a partnership with an EU business.
When thinking of the GDPR in a South African context, keep in mind that being compliant makes business relationships with the EU easier.

So my business will be affected. What now?

For starters, make yourself aware of the new requirements under the GDPR. Once you know what is expected of businesses, you can take the following steps:

1. Implement the required processes and actions.

2. Determine the necessary actions to be performed on the data. This can includes an analysis and understanding of the data flow (how you get it, where it’s stored, who it’s shared with and how it’s removed).

3. Identify any gaps in the process, and put plans in place to fix them.

4. Keep your workforce educated about the legislation and how to comply.

Want to stay up to date with the latest marketing news? Subscribe to our newsletter.
The GDPR and POPI Act have many similarities but are not exactly the same. Find out more about the POPI Act in our article, IAB Digital Summit: How the POPI Act affects direct marketing.