Given that this is European legislation, why should South African businesses care?
The obvious answer – GDPR applies to any business that deals with the personal data of EU citizens. This may mean you – even if your business is confined to South Africa.
The less obvious answer?
The South African Protection of Personal Information Act (PoPIA) draws heavily on the GDPR legislation.
There are some key differences – most obviously, PoPIA is South African law, while GDPR is promulgated in the EU.
GDPR protects the rights of individuals, whilst PoPIA extends these rights to legal entities such as businesses and trusts.
Yet, at their core the two have many common elements and requirements.
Both require a shift in culture to recognize that data privacy is being treated as a human rights issue.
Organisations must both adapt existing data policies to meet requirements and must define the organisational structures necessary to ensure accountability for the misuse of personal data.
These are data governance challenges.
A year before the May 2018 deadline, a Collibra and Compliance Week GDPR survey showed that the vast majority of companies surveyed were not ready for GDPR – and that around 50% can be expected to miss the May 2018 deadline.
The lesson for South African companies is clear!
12 months is not enough time to achieve PoPIA / GDPR compliance.
The survey points to several best practices for achieving and maintaining GDPR compliance that are equally relevant to PoPIA
- Cover all four pillars: People, Process, Technology, and DAta
- Use a top down approach to ensure results can be sustained
- GDPR / PoPIA are principle based
- GDPR / PoPIA are about the responsible use of data
- People use data, through processes that are enabled by technology
- Involve everyone: Data privacy regulations need board-level sponsorship and coordination, and joint leadership from legal, IT, HR and other business stakeholders
GDPR and PoPIA require organisations to create a new frameworks that defines how they will manage and use personal data.
Starting with data governance principles and approaches is the sensible way to ensure that your framework is both acievaable and sustainable
It is too late for those companies that have not acted timeously to meet the GDPR deadline at end of May.
Hopefully we can avoid the same problem with PoPIA