Steps to becoming GDPR compliant as a South African Company

There is a plethora of information relating to the necessity of compliance of the General Data Protection Regulation (“GDPR”) , a European Union directive that will come into force on 25 May 2018.

There is a plethora of information relating to the necessity of compliance of the General Data Protection Regulation (“GDPR”) , a European Union directive that will come into force on 25 May 2018.  This legislation will fast forward European law into new ways of protecting personal data around the world especially given the advancing of modern technology and its ability to harvest how personal information is stored and shared.

Companies must attempt to keep up with the pace of this new law which in its framework strongly advises companies on what they must do to abide by the rules in order to protect personal information, including explicit consent, communicating with data subjects, implementing data protection through composite data policy and advising companies on whether they need a data protection officer.  Failure to comply may lead to the company being fined up to 4% of their global turnover or otherwise they can be sanctioned including an injunction to cease all commercial activities dealing with personal data, depending on the gravity of the violation.

Within an ever-globalized world with free data processing, companies generally don’t have their geographic foot print limited.  It’s important for companies that suspect that they will be affected by the GDPR to understand the streamline of personal and sensitive data arising from the EU that is being transferred to South Africa. I list below 5 key elements that South African companies who suspect they will be affected by the GDPR be aware of for GDPR compliance purposes.

1 Identify what is the GDPR and when it will come into force.

The General Data Protection Regulation (GDPR)  is a European Union (“EU”) directive.  GDPR applies to any organization that is doing business in the EU and is collecting, processing and storing the data of EU citizens, no matter where the company is based or located.  This applies the principle of ‘long arm of jurisdiction.’  The GDPR will effectively come into force 25 May 2018.

2 Generate a composite data policy

GDPR requires a company to understand the networks in production and trade that affect personal data and requires companies to organize data for GDPR compliance.  This gives rise to the need of companies doing business in the EU and collecting, processing and storing the data of EU citizens to run a data inventory.  This will help companies to:

  • map how personal data is stored;
  • to review  compliance practices and design on processing activities, that the company may require for each type of data it collects.;
  • to further analyse the risks it may cause to the data subject. This is due to the fact that GDPR requires that companies must prove that they can protect the data of EU citizens from sign-up to delivery.

3 Seek explicit consent to gather data

Under the new GDPR, consent for gathering data must be given freely, and must be specific, informed and unambiguous.  Consent cannot come from silence, pre-ticked boxes or inactivity.

4 Appoint a Data Protection Officer (DPO) to take responsibility for the regulatory compliance.

The DPO will take full responsibility in making sure that the company will take the needed measures to have its processes and information flow, according to the GDPR.

5 Data breaches and notifications

A company affected by the GDPR must adopt internal procedures for and require the same of third-party partners, in order to deal with data breaches.

These procedures should include identification of the actual data breach, investigation of the circumstances of the breach,  assessment of the implications it may cause both to the company and to the data subject regarding his or her privacy.

This includes notification within 72 hours when data subjects are exposed to some risk, as well as the need for notification to the Supervisory Authority within no more than 72 hours when the data subjects are exposed to risk.

Therefore, if you suspect yourself to be at risk of GDPR non-compliance, ask yourself does my company get exposed to EU citizens personal information? If yes than GDPR compliance applies to you.

Filter By

Must Reads

Subscribe to receive our latest articles

Follow Us

Related Posts

Imitation is the greatest form of flattery, but we don’t think so in this case.

We are aware of the phishing email that has been circulated to many people. Although we are not the firm mentioned in the phishing email you may have received, we’ve received several calls because of the similarity to our firm name so, unless you’d like to have a chat about other technology law matters, please don’t call us as we won’t be able to help. 

We know the firm in the phishing email is a genuine law firm, based in Cape Town, and we’ve alerted them to what is likely an impersonation scam.

If you’d like to learn more about phishing, click on the following link (we promise this is a legitimate link ) to watch this entertaining video we did eight years ago.