As companies increase their global footprints because of digital transformation, data privacy is becoming an issue of global importance rather than just an in-country issue. The new General Data Protection Regulation (GDPR) comes into play on the 25th of May this year and it will have a huge impact on African companies that deal with clients based in the European Union (EU).
Talking to CIO East Africa during the Cloud and Security Summit in Kigali, Chris Morrison, security consultant at Footprint Business Africa Solutions (FABS) said many African countries still do not have local legislation supporting the GDPR in place, despite it being four years in the making.
“While a few African countries have already put local data protection legislation in place, there seems to be a disparate approach to data protection across the continent,” says Morrison.
Delegates at the Cloud and Security Summit
The biggest challenge facing companies in Africa that deal with data out of the EU is that, even if data protection laws do not exist within their countries, they must comply with the GDPR or face the consequences. “Non-compliance comes with massive repercussions and will be determined based on the actual infringement in question, the impact of the infringement and the type of personal data involved,” said Morrison. “Penalties include fine of between two and four percent of total global revenue for the preceding year or between €10 and €20-million, whichever is greater,” he added.
“Non-compliance comes with massive repercussions and will be determined based on the actual infringement in question, the impact of the infringement and the type of personal data involved,” said Morrison. “Penalties include fine of between two and four percent of total global revenue for the preceding year or between €10 and €20-million, whichever is greater.” Chris Morisson, Security Expert, FABS
The Information Commissioner’s Office (ICO) in the UK has prepared a 12-step guideline for GDPR compliance. “Decision-makers and key people within the organisation need to be aware of the new law and must understand the impact that it is likely to have. The company also needs to have a clear view of what information it holds, where it emanated from and who it is shared with,” averred Morrison.
Privacy notices must also be reviewed and amended to be in line with GDPR requirements, and procedures must be put in place to ensure that the rights of individuals are protected, including how personal data will be deleted and shared.
In further assertion, Morrison was categorical that other areas that will need review as part of preparing for the GDPR includes how companies seek, record and manage consent for the collection of data, how they will verify individuals’ ages and obtain parental consent where required, as well as how they will detect, report and investigate personal data breaches.
Organisations, in line with GDPR should conduct Data Privacy Impact Assessments as part of their preparation and, in cases where companies do cross-border processing, they must determine who constitutes their lead data processing authority. Morrison added that it would be prudent to consider formally appointing a Data Protection Officer. “This person would take responsibility for data protection compliance and governance requirements,” he stressed.
Organisations in Africa cannot simply assume that the regulation does not apply to them, simply because they do not operate in the EU. “The GDPR will have far-reaching consequences for companies and they must ensure that they are prepared for those,” says Morrison.
Write to us firstname.lastname@example.org