CAPE TOWN – The EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018 with a set of rules and regulations aimed at protecting personal data held by business and organisations.
GDPR’s purpose is to strengthen individuals’ rights over their data, in that they have enhanced rights to:
- be informed about the way their data is processed
- request access to a copy of their data
- object to their data being handled for some specific purposes
- restrict a business from processing their data if it’s inaccurate, or if the reason for processing is contested
- correct mistakes in the data an entity stores about the individual
- make their data portable so it can be shared with other data controllers or entities
- request the deletion of their data (the right to be forgotten)
- NOT to be subject to decisions based solely on automated data processing.
What’s the relevance for South African companies?
The GDPR has extra-territorial impact in that it applies to any company dealing with the personal data of individuals residing in the EU. This is regardless of the company’s location. In other words, it is the domicile of the data subject, not of the organization storing their data, which determines whether the GDPR will apply. The GDPR may grant some flexibility to smaller companies, but in general, the GDPR is agnostic when it comes to a company’s size. The new rules give authorities the ability to levy fines of up to 4% of a company’s global revenues.
The right to be forgotten
One of the most prominent and complex new changes is the data subject’s “right to be forgotten”, meaning that an individual can request that a company erases his/her respective personal data. This requires companies to have the systems and processes in place to handle such a request as well as making sure a company’s legacy data is compliant. Companies storing, handling and processing EU residents’ personal data will need to have a process in place to locate the data and comply with these requests. As most of you know, deleting a single data record that may have been copied to numerous databases, aggregated or shared with a third party may not be a simple process.
Data breach notification
Another major challenge of GDPR compliance is the new requirement to notify authorities of a data breach within 72 hours of its occurrence. Companies should put adequate processes and systems in place to identify what data is affected and what procedures are in place to improve internal collaboration before informing authorities. Consecutive breaches will no doubt result in higher penalties and stricter regulatory monitoring.
GDPR also requires application of “privacy by design” and “privacy by default” principles to encourage data protection from the earliest stage of any project or initiative. A robust privacy check in the beginning of every project or new process is a mandatory internal requirement. Since the GDPR is not a one-off implementation, it will require a continuous risk approach.
- If your company processes data which is subject to the GDPR, it is important to note the following:
- Being well prepared for a data breach will help reduce the reputational impact as well as any resultant business interruption. The way in which an organization manages a breach usually has a direct impact on the cost thereof. In addition, authorities are more likely to penalize companies that are not well prepared and do not handle breaches according to best practices;
- Consider organizing all personal information into information flows from the point of entry to its exit or destruction or deletion. The information flow should identify all the types of personal information collected by the organization; how the personal information is used and stored; what mechanisms exist to deal with subject access requests; how long the personal information is retained; what systems exist to ensure that personal information is not kept longer than required; and how the personal information is deleted, destroyed or de-identified;
- Consider standardised templates for any data access requests;
- Cyber insurance can help with aspects of compliance. Such insurance, for example, often includes consulting and incident planning services, as well as breach response services. If a company suffers a breach it will need access to expertise, such as specialist lawyers, IT forensics and crisis management consultants. Your cyber insurance should provide instant access to such experts and help demonstrate to authorities that you are taking immediate and appropriate steps to reduce the impact of a data breach as well as meeting any regulatory requirements.
In closing, this new EU regulation is a further indication that the risk landscape is constantly changing and interdependence between entities in far flung jurisdictions brings new risks that were probably not foreseen until recently. This requires better response strategies to ensure that such risks are adequately managed.
Kristin van Niekerk is a legal and compliance expert at Allianz.
The views expressed here do not necessarily represent those of Independent Media.
BUSINESS REPORT ONLINE