After a prolonged period of two years, the General Data Protection Regulation (GDPR), a wide-reaching new piece of European legislation, is coming into full force.
Though this law may seem a world away from South Africa, Daniel Lötter, Head: Bids and Tenders at managed service provider Itec Southern Africa, says organisations should pay close attention to it – both for the sake of their business abroad and their legal stature in South Africa.
“If you handle any information of an EU citizen or you have an EU citizen on your board, or anything like that, then you have to be GDPR compliant,” said Lötter.
“If you want to do business with European resident countries, from a supplier or a vendor point of view, you also have to be compliant.”
The direct consequence of GDPR is serious, including fines of up to 4% annual global turnover or a flat €20 million – whichever is more. Even if local companies are not in the firing line, GDPR could severely impact their relationships with European companies:
“Compliance is very serious,” added Lötter.
“GDPR has been in a honeymoon period since 2016 and that has come to an end. It brings some very stiff penalties along with it and European regulators will want to show it has teeth. Once one or more companies receive fines, many will follow the rules. That means anyone part of their value chain who isn’t compliant will at the least be cut off. So even if the prospect of direct fines and penalties can be low for South African companies, the knock-on effects will still make this felt. You have to find out how exposed you are.”
GDPR is more than just a law. It is being treated as an example of the shifting regulatory environment around data usage. As revealed by the recent problems at Facebook, not to mention countless data breaches of companies around the world, data management, ownership and control are becoming hot topics and won’t go away. So governments and societies are responding to protect this resource, as well as the sources that provide the data.
South Africa has its own data-centric legislation, the Protection of Personal Information (PoPI) act. GDPR’s arrival is a sign that local organisations must look closely at their compliance.
“The similarities between GDPR and PoPI are huge,” said Lötter
“There are some small and crucial differences around transactional data, but otherwise they are very similar. Even if a local business doesn’t require GDPR compliance, chances are much greater that they need to be in step with PoPI. In that light, GDPR is an opportunity for local businesses to reflect on their PoPI status and start making the right changes.”
GDPR and PoPI compliance impact many different parts of a company. But a prime component is data security, which is why Itec is launching a new security solution to help local companies of all sizes.
“We have launched a partnership with First Distribution to bring the Veritas security solution to our customers. This will create a security service with different tiers for various types of organisations. The solution is actually geared towards PoPI compliance. So this will help focus on customer information, which lies core to both GDPR and PoPI requirements.”