The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. This means South Africa is going to have to bring POPIA more in line with the GDPR, considering the EU is one of South Africa’s biggest trade partners. The GDPR creates one set of rules to be implemented uniformly across the EU with no room for interpretation or differing implementation by each EU member state.
What is the GDPR?
The GDPR is a data protection law which aims to safeguard against any privacy and data breaches in a new global environment where business has become intertwined with technology and where most of the data is shared electronically.
Does it apply to your organisation?
According to DLA Piper, what businesses operating in South Africa need to be aware of is that the GDPR applies in EU member states as well as where data is transferred to or from the EU. This means that businesses operating in South Africa which engage in business with people in EU member states will fall within the ambit of the GDPR.
The GDPR will apply where businesses in South Africa:
- process the data of an EU member state citizen or temporary resident
- have employees based in an EU member state
- offer goods or services in an EU member state
- have a partnership with an EU business
Who must comply with it?
According to the legislation, any company which processes the personal data of EU residents regarding the offering of goods or services, or monitors the behavior of those residents may need to comply.
Not complying with GDPR will limit the ability to:
- have employees in the EU
- sell or market products online or offline in the EU
- partner with an EU organisation
- receive funding from an EU-based investor
Businesses in South Africa that have a presence in the EU will, therefore, need to be aware of the new requirements under the GDPR to continue to conduct their businesses in a data protection compliant manner. For organisations that have already taken firm steps to comply with POPIA and general data protection principles, compliance with the GDPR will not be such a great leap.