How GDPR Can Impact You
How GDPR Can Impact You
On 25 May 2018, the General Data Protection Regulation (GDPR) came into effect across European Union (EU) member states. The GDPR brings a significant extension of the territorial scope of the EU data protection regulations, catching a large number of overseas businesses. The GDPR may have an impact on businesses in South Africa.
Indeed, the GDPR considers not only the location of the processing but also the location of the individual whose data is being processed.
- The GDPR applies to all organisations that are established in the EU and are processing personal data in that context. Therefore, your organisation will fall within the territorial scope of the GDPR if it is processing personal data in the context of the activities of an establishment of a data controller or a data processor in the EU. GDPR will apply regardless of whether the processing actually takes place in the EU or not.
Data processors will also be caught, provided they have an establishment in the EU. Organisations cannot escape the application of GDPR by processing data outside of the EU. Outsourced service providers could fall under the scope of the GDPR, for example, such as IT support, HR support, or data storage facilities. - The GDPR also applies to organisations that are not established in the EU where:
have you appointed a data protection officer with sufficient means and powers, as well as a representative based in an EU member state who will act as a point of contact for the regulators?
are you compliant in the way you collect, store and process personal data?
are personal data kept secure in accordance with the security principles of the GDPR?
For example, a South African company without any EU subsidiaries which would offer free social media services via its website hosted outside of the EU to individuals in the EU, would fall under the scope of GDPR.
In the same way, a South African tourism accommodation booking business using cookies to track past EU-based customers browsing in order to target specific hotel adverts to them, would be subject to GDPR.
Therefore, organisations outside of the EU have to assess their operations to determine whether or not the GDPR does apply.
If GDPR does indeed apply to your organisation, you have to determine what changes or other steps may need to be taken to ensure compliance:
Have you appointed a data protection officer with sufficient means and powers, as well as a representative based in an EU member state who will act as a point of contact for the regulators?
Are you compliant in the way you collect, store and process personal data?
Are personal data kept secure in accordance with the security principles of the GDPR?
GDPR may have an impact on your business, even if you are located in South Africa.
PPM Attorneys can help you with your compliance project.
