The European Union’s General Data Protection Regulations (“the GDPR”) are set to become fully effective on 25 May 2018. Closer to home, the Protection of Personal Information Act 4 of 2013 (“POPIA”) is closing in and is likely to become fully effective next year. Needless to say, the theme for 2018 is data protection.
Compliance with POPIA is an extensive and expensive task but for many companies, compliance with data protection regulations doesn’t end there. The GDPR places further obligations on companies even though they operate outside the EU. Failure to comply with the GDPR can result in a fine of 4% of a company’s global revenue or 20 million euros, whichever is greater. The GDPR is a monster that makes POPIA, with its R10 million fine, look like a fluffy bunny. This is because compliance requirements for the GDPR are far more extensive and the process far more gruelling than compliance with POPIA. The grizzly truth is that, for those who fall within its jurisdiction, the GDPR will corner you with harsher sanctions, regardless of whether you’re based in South Africa or in the European Union, so it’s best to prepare.
So, why would South African companies be subject to the GDPR and a severe penalty?
If a company has its headquarters in the EU and a subsidiary (or subcontractor) in South Africa (or any other country outside the EU) then it can be fined for noncompliance, regardless of where the noncompliance has taken place. Therefore, global companies with a presence in South Africa have to ensure that they comply with South African law as well as EU law. In addition to this, if you are a South African company and you target EU citizens, for example, by advertising holiday packages to EU tourists, the GDPR applies to you.
I would recommend a proactive approach to compliance with the data protection laws while you still have time. Do your research, find out where your company operates and who it targets, and whose information is processed and for what reason. Make compliance less frightening by getting to know your business and taking a responsible approach to handling personal information.
