The General Data Protection Regulation (GDPR) was enforced on 25 May 2018 by the European Union Law and was drafted to coordinate any previous and or current legislation in one document. This means that every resident of the European Union’s (EU) right to data privacy are protected under this regulations. Any law or regulation approved by the EU are in general applicable within the member states of the European Union. It must be emphasized that the GDPR is not a South African Law and that the Protection of Personal Information Act, Act 4 of 2013 (POPI) is applicable on us, however, certain requirements contained in the GDPR will have an effect on South African business owners who falls within the exceptions.
The GDPR applies not only to businesses within the EU but also to businesses outside the United Nations (UN), if such a business offer goods or services to residents of the EU or monitor their behavior. The GDPR also stipulates that if a business process and holds data of residents of the EU, they will have to comply with the requirements of the GDPR.
South African businesses which participate in business within any UN state or have a partnership with an EU business will fall within the scope of the GDPR. Businesses in South Africa that have a presence in the EU will, therefore, need to be alert of the new requirements under the GDPR in order to endure their businesses in a data protection compliant manner.
Like the POPI Act, the GDPR’s goal is to safeguard against any privacy and data breaches in a new worldwide setting where business has become interwoven with technology and where most of the data is electronically transmitted. Although it is still the primary objective for South African businesses to make sure to be compliant with the POPI Act, they have a responsibility not to neglect the GDPR, especially if they fall within the above-mentioned exceptions and considering that the EU is one of South Africa’s biggest trade partners.
A matter for concern is the enforcement date which was 25 May 2018. If it seems that a business is not compliant with the GDPR, such a business can be reported to a Data Protection Authority in an EU country. Such an authority can conduct an investigation and if they find that the business is not compliant, it will direct the business to become compliant. Failure to become complaint can result in receiving a fine of up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
Fortunately for South African Businesses the GDPR and POPI Act are fairly similar in their application. This means that if a business is already compliant with the POPI Act, they will only have to make certain adjustments to ensure that they are compliant with GDPR.
ABOUT THE AUTHOR:
Altus de Wet is a SEESA Consumer Protection & POPI Legal Advisor at our Bloemfontein office.