The EU’s GDPR and some African data protection laws differ significantly
One of the major differences between the General Data Protection Regulation and SA’s Protection of Personal Information Act is the definition of ‘personal’
Africa has 17 counties in which data protection legislation has been adopted. In addition, the African Union (AU) has adopted the AU Convention on Cyber-security and Personal Data Protection, which is pending ratification by 15 of the 54 AU members.
The data protection legislation adopted by countries in Africa share many principles with the EU’s new General Data Protection Regulation (GDPR), but there are some key areas in which they differ.
While some jurisdictions require organisations to register with a data protection authority, others may not. Some countries are very prescriptive on cross-border data transfers, while others either have little to no requirements.
In SA, a key distinction between the GDPR and the Protection of Personal Information Act (POPIA) is the definition of a person and, by extension, what constitutes personal information. POPIA includes juristic persons, such as companies, in its definition of "personal".
The disparities in data protection legislation in Africa already prove challenging to multinational organisations with an African presence, and when you add on the requirements of GDPR, these challenges can seem quite overwhelming.
So how, then, is a multinational organisation able to achieve optimal compliance? The answer is the adoption of a higher data protection standard. If a higher standard is applied, taking into consideration the particular country’s legislative requirements, compliance efforts could certainly be streamlined.
Organisations have significantly underestimated the level of time and effort required for GDPR-compliance. Companies such as non-profit organisations, who receive international aid funding, as well as those which serve as outsourced service providers to EU organisations, have invested time and money in creating data mapping and GDPR-readiness assessment templates. However, the reality of the time, tools and investment required to solve the gaps identified from these readiness assessments have been grossly underestimated on the road to compliance.
Organisations have only recently started to send out GDPR self-assessment questionnaires to their outsourced service providers, such as payroll processors, the responses to which have indicated that the outsourced organisations they utilise are not GDPR-ready in terms of their requirements as processors — which, as a result has an adverse effect on the organisation’s ability to comply as controllers.
Organisations should not assume that security technology alone will solve all their privacy compliance requirements. An effective compliance approach must cover, people, technology and business process.
Technology is evolving at a rapid and exciting pace. However, with great technology there should also come great responsibility and accountability. This is why data privacy requirements are only going to increase. This is a good thing, as it helps protect the high volume of our personal information which is in the possession of controllers and processors — who are going to need to work towards increasing their information security-risk maturity and ensure that data privacy is always on the agenda at a C-Suite level.
• Pillay is regional divisional director of risk advisory services, RSM SA