CAPE TOWN - GDPR is a far-reaching piece of legislation. It doesn’t only apply to companies registered in an EU member state. Any business that provides a service in the EU has to comply, regardless of whether the service provider has a presence in the EU or the recipient of the service is an EU citizen.
Those companies are all trying to ensure that they’re GDPR compliant. You may have noticed that a few of those companies were South African.
But why should South African companies care about GDPR? And what else do they need to know about it?
1. Why it affects South African companies
GDPR is a far-reaching piece of legislation. It doesn’t only apply to companies registered in an EU member state. Any business that provides a service in the EU has to comply, regardless of whether the service provider has a presence in the EU or the recipient of the service is an EU citizen or resident.
So, for example, if you have a South African customer and they can transact on your site while holidaying in an EU country, then you need to be GDPR compliant.
Even if you think you don’t have any customers in the EU, you can’t be certain, so you’re better off being compliant than not.
2. The deadline’s passed, but you should still work on compliance
The deadline for GDPR compliance may have passed, but that doesn’t mean you should stop working on it.
In fact, the longer you take to be compliant, the more likely it is that you’ll be sanctioned by a Data Protection Authority (DPA) in an EU country.
3. Compliance takes time
The slew of emails landing in inboxes on the eve of GDPR coming into effect wasn’t just because companies were procrastinating.
Becoming fully GDPR compliant takes time, meaning that if you aren’t there yet, you need to get moving as quickly as possible.
4. What you need to become compliant
When it comes to sending out digital communications, GDPR does include lawful bases for processing personal information.
If you communicate as part of providing a contracted service, for example by sending statements, invoices, and so on then you’re generally safe.
If, however, you’re sending out marketing communications to someone who otherwise has no legal relationship with your business, you need to get their consent.
Consent here means having an explicit record of the person agreeing to receiving messages from you (ie opt-in not opt-out) and to be able to show when and how they gave their consent and what they agreed to receive.
You have two options here - get hold of everyone on your marketing databases and get their explicit consent or go through your database and remove everyone for whom you do not have recorded, explicit consent.
5. Your email database will take a hit
People are inundated with emails on a daily basis. Even if they see your consent email, there’s a reasonable chance they’ll see it as an opportunity to make their inbox a little less cluttered.
There’s a good chance, therefore, that your email marketing database will take a significant hit.
Any losses you encounter here, however, will impact you a lot less than if you fail to be GDPR compliant.
6. Non-compliance could be seriously costly
So what happens if you aren’t GDPR-compliant? First off, you’d be reported to a local Data Protection Authority (DPA) in an EU country.
The DPA will then decide whether or not you’re compliant. If you aren’t, the authority will direct you to get your house in order and become compliant. Failing that, you’ll be liable for a fine.
That fine could be as much 20-million Euro (R292-million) or four percent of your company’s annual turnover.
Alison Treadaway is a director at Striata, a digital communications specialist which provides software and services to medium & large companies across the globe.
Treadaway joined Striata in 2002 and served as head of Striata’s Africa region for 13 years before moving her focus to marketing strategy and data privacy compliance.
Treadaway has a marketing and sales background in Internet-related solutions having worked in the sector since the mid-nineties.
The views expressed here are not necessarily those of Independent Media.