The EU General Data Protection Regulation (GDPR) which comes into effect on May 25 will require all companies, including those in South Africa that control or process personal data of EU residents or citizens, to be compliant or face major fines of up to €20 million.
The GDPR aims to give more control to EU citizens and residents over their personal data, and to further simplify the regulatory environment for international business by unifying the regulation within the EU. Under the new regulations, companies are required to safeguard consumers’ personal data and allow them to access their data, or alternatively ask for their data to be erased if it has expired.
“Anybody who shares data about an EU citizen or resident would have to be compliant in terms of the GDPR,” says Jared Higgins, CEO of Secure Drive, a member of the Arcfye Group, adding: “The GDPR is the world now waking up.”
According to Advocate Louis Nel, Legal Adviser and Owner of Louis the Lawyer, the GDPR applies to all entities across the globe that provide goods and services to any consumer who resides in the EU. This means car rental companies, hotels and operators will have to ensure compliancy.
Nel says: “Given the more pervasive nature of the GDPR, it is recommended that it be used as a standard rather than that of POPI Act.”
Article 83 of the GDPR provides details of the administrative fines. There are two tiers of fines; the first is up to €10 million or 2% of annual global turnover of the previous year, whichever is higher. The second is up to €20 million or 4% of their annual global revenues.
“The GDPR is here, you are going to have to understand it and build it into your business if working with EU citizens or residents,” says Nel.
It must be noted, smaller firms that have fewer than 250 employees do not have to comply with certain GDPR requirements, says Nel, however they must keep a record of processing if there is a risk the rights and freedoms of the data subject.
According to Nel, the GDPR aims to do the following, while aligned with the POPI Act:
-Access security and privacy risks by means of a data protection impact assessment, for example, identifying when processing may result in risks to data. What is required is a systematic and extensive evaluation of the organisation’s processes and what safeguards it has.
-The assessment should address the origin, nature, likelihood and severity of such risks.
-Business must show that it has implemented strategies not only to identify and pre-empt risk but also to manage and mitigate.
-Preventative measures can include encryption and controlling privileges of users - ideally it should be impossible to tamper with and/or destroy data (See POPI Act section 19).
-Regular audits of data must be carried out and monitoring must be of such a nature as to detect breaches as early as possible.
-It is imperative that security applies to the entire life cycle of data.
-Incident response must be swift as it will impact on customers, brand and share value, therefore engage lawyers, PR, insurance and the authorities.
According to Higgins, the GDPR will protect EU citizens against terms of violation of privacy and the protection against identity theft and fraud. Furthermore, he says these new regulations will prevent companies from buying people’s information, such as email addresses where companies send out mass mail after purchasing a server.
“The need for the GDPR is a valid one,” comments Higgins, who says there is so much that we all do online without thinking about the security around it, such as Instagramming boarding passes where all information regarding that individual has now been made freely accessible online.
According to Higgins, younger generations are most at risk of becoming victims of such crime.
Secure Drive recently launched an app exclusively for its customers where data is stored, however, Secure Drive users have to re-enter their CCV and expiry date every time they access the app, ensuring online data protection, according to Higgins. In addition, the app only requests users’ location when using the app and permission has been granted by the user. Once the journey is complete the app can no longer track users’ whereabouts and, in a world where technology can access all personal data, such as the recently emerged Facebook data breach, it is crucial to have further systems that protect individuals’ private data.
Higgins says many may find the re-entering of such information tedious, but if confidential data is automatically stored it poses a risk to the end user.
Increasing security means inconvenience, says Higgins, adding: “Very often, convenience comes at a cost.”