GDPR: How compliant do you actually need to be with the EU’s new privacy rules?
The territorial scope of GDPR — the European Union’s new data privacy rules — is all-encompassing.
Essentially, article 3 means that wherever you are in the world, if you are processing personal information on behalf of an EU controller, or you are directly targeting EU citizens, you need to take heed of the GDPR.
But that does not necessarily mean that every part of your organisation has to comply with it.
South African businesses rely heavily on international investments, and there are increasing opportunities for local businesses to partner with EU organisations that want to expand or outsource certain aspects of their operations.
If you are a supplier or subsidiary to an EU based company, then the pressure is on you to comply with GDPR if you want to continue working with these companies.
If you are an independent business with no attachment to the EU, yet your services are aimed at EU citizens — for example, you are a tour company tailoring South African safari experiences for EU citizens — you will need to comply with GDPR.
GDPR may seem like a barrier to entry. The widened territorial scope makes compliance seem daunting.
So, how compliant do you need to be?
Data flows and data mapping
Data comes in from different streams in an organisation: HR, operations, marketing and so on. It is important to understand your organisation’s data flows. To do this, you will need to undertake a data-mapping exercise, which helps to:
- Understand the data flow: where is the data coming from? Directly from customers? Or via suppliers or sub-suppliers.
- Describe the data flow: when is data received, and what do we do with it?
- Identify key elements of data processing: what type of data is collected? Where is it stored and in what format? And who has access to it?
You are required to be compliant with GDPR only for data flowing in from the EU.
If, for instance, your HR data on your South African employees has been breached, you do not have to fulfil the GDPR requirement to notify the relevant authority within 72 hours. But if your client database from the EU has been breached, you are obliged to notify the EU company so that it can fulfil its obligations. Likewise, if you market your services to your EU client database, your marketing process must be GDPR compliant.
In short, if your organisation falls within the GDPR ambit, it does not mean that your entire organisational processes need to comply with GDPR. Compliance is limited to personal data stemming from the EU.
Where the GDPR is not applicable, the South African legislation, the Protection of Personal Information Act (POPIA), will apply.