By Darryl Bernstein, Head of the Technology, Media and Telecommunications Practice, Baker McKenzie Johannesburg
Businesses in Africa that process customer data from the European Union (EU) must ensure they are fully compliant with the EU General Data Protection Regulation (GDPR), set to become effective in May 2018. The GDPR will have consequences for financial services organisations in Africa and non-compliance will expose these organisations to substantial fines and possible damage to reputation.
The GDPR is set to be the biggest change in EU data protection law in two decades and will affect the way companies collect, process, store and transfer personal data in and out of the EU. Companies in Africa doing business with the EU should assess how the GDPR will affect their business models and data processing practices and urgently formulate a plan to address steps they need to take to be compliant when the GDPR comes into force.
Further, South Africa’s own data privacy legislation, the Protection of Personal Information Act, 2013 (POPIA) is due to come into effect this year. POPIA was prepared as a draft bill in 2009 and followed closely the regulations of the EU’s first data privacy legislation – the EU Data Protection Directive (1995), making the two pieces of legislation very similar. However, the EU Data Protection Directive will now be replaced by the GDPR. Certain sections of the GDPR are different to the previous EU Directive, and as a result these sections differ from POPIA as well. South African businesses doing business with the EU will therefore have to ensure they are compliant with the regulations in GDPR that are not covered by their compliance with POPIA.
For instance, the GDPR deals with a subject’s right to data portability, which POPIA does not. It also requires data controllers to conduct data protection impact assessments, which is not required under POPIA and the GDPR has much higher penalties for non-compliance.
There are also many similarities between POPIA and the GDPR and some concepts and definitions are the same. For instance, a Responsible Party in POPIA is termed a Controller in the GDPR, an Operator in the context of POPIA is a Processor in the GDPR and POPIA’s information Officer is a Data Protection Officer (DPO) in the GDPR.
Notable differences in the GDPR are the right to data portability (the right to obtain a copy of one’s personal data from the Controller and have them transferred to another Controller), the right to erasure (or the ‘right to be forgotten’); the right to restriction of processing; as well as the right to object to certain processing activities (profiling) and to automated processing decisions. Controllers will also be required to provide significantly more information to data subjects about their processing activities. These are not included in POPIA.
Consent is retained as a processing condition in the EU Directive and in POPIA but the GDPR is more prescriptive when it comes to the conditions for obtaining valid consent. The key change is that consent will require a statement or clear affirmative action of the data subject. Silence, pre-ticked boxes and inactivity will not be sufficient. The GDPR clarifies cases where consent will not be freely given (for example, no genuine choice to refuse, and clear imbalance between the data subject and controller). Data subjects must be informed of their right to withdraw consent.
The GDPR also imposes compliance obligations directly on Processors, such as implementing security measures, notifying the data Controller of data breaches, appointing a DPO (if applicable), maintaining records of processing activities, etc. Processors will be directly liable in case of non-compliance and may be subject to direct enforcement action. Controllers and Processors will be required to enter into detailed processing agreements or renegotiate existing ones. Under the GDPR, Controllers and Processors will have to maintain records of processing activities. Detailed information must be kept and provided to supervisory authorities upon request.
Also unique to the GDPR, Controllers will be required to perform a Data Protection Impact Assessments (DPIA) where the processing of personal data (particularly when using new technologies) is likely to result in a high risk to the rights and freedoms of individuals. DPIAs will particularly be required in cases of an evaluation of personal aspects based on automated data processing including profiling; processing on a large scale of special categories of data; or systematic monitoring of a publicly accessible area.
The GDPR retains the cross-border data transfer rules of the EU Directive, which is also contained in POPIA, but adds new ones such as certification mechanisms and codes of conduct, as well as a new, very limited derogation for occasional transfers based on legitimate interest. Country-specific authorisation processes will no longer be needed (with some exceptions) and Binding Corporate Rules are formally recognised in the GDPR.
In terms of data breach notification, under the GDPR, controllers will have to report data breaches to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk for data subjects’ rights and freedoms). A proper justification must accompany the notification if it is not made within 72 hours. Affected data subjects must be notified of a breach without undue delay if the breach is likely to result in a “high risk” for their rights or freedoms.
Similar data breach notification regulations are also contained in POPIA. POPIA stipulates that a data breach must be notified as soon as reasonably possible after the discovery of the compromise, considering the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
The GDPR will also harmonise the tasks and powers of supervisory authorities and significantly increase fines. For major infringements (such as failure to comply with cross-border transfer rules or to obtain adequate consents) fines can be up to 20 million EUR or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher). POPIA proposes a fine or imprisonment of between R1 million and R10 million or one to ten years in jail for breaches of the data protection law.
Considering these new regulations, organisations in South Africa that are doing business with the EU should urgently implement a cross-border data transfer strategy that includes compliance with the GDPR, even if they are already POPIA compliant. Failure to do so will result in punitive fines and the inability to conduct cross-border business operations effectively.