TALKING BUSINESS
T
he General Data Protection
Regulation is a piece of
legislation that was approved
and put in place by the European
Parliament in April 2016. As European
Law, it will fully take effect after a
2-year transition ending 25 May 2018;
it will impact not only the UK and the
member states of the EU but countries
that are trading with the EU.
As a result, there are questions that
require answering; namely how do you
comply and when can you transfer data?
When can personal data be
transferred outside the
European Union?
Personal data may only be transferred
outside of the EU in compliance with
the conditions for transfer. A transfer
of personal data to a third country
or an international organisation may
take place where the commission
has decided that the third country,
a territory or one or more specified
sectors within that third country, or the
international organisation in question,
ensures an adequate level of protection.
You may transfer personal data where
the organisation receiving the personal
data has provided adequate safeguards.
Individuals’ rights must be enforceable
and effective legal remedies for
individuals must be available following
the transfer.
Complying with the regulation
In compliance with GDPR, organisations
must ensure measures have been
taken to minimise risk and the chance
of data breach. These processes and
policies will also ensure organisations
are accountable and can be
governed; part of the ICO guidelines
on GDPR says organisations must
“Implement appropriate technical and
organisational measures that ensure
and demonstrate compliance.”
If firms do not comply with the
regulations that are put forward by
GDPR, they can be subject to hefty
fines. Both the data controller and
the data processor will be subject to
fines, with the regulatory bodies of
each country working in tandem to
establish the appropriate measures to
take. Furthermore, companies of all
sizes will be subject to punishment for
non-compliance. Recently, the Spanish
authorities fined Facebook for having
inadequate data sharing policies, the
fine totalled 1.2 million euros. Facebook
was found guilty of ‘not adequately
collecting the consent of either their
users or non-users’.
PoPI vs GDPR
GDPR operates in a similar vein to the
Protection of Personal Information
Act (PoPI) altering the scope of
data protection, management and
governance in South Africa.
PoPI, simply put, is legislation that
protects a person’s right to privacy
and the measures that must safeguard
their personal information when it is
processed by a responsible party. The
eight principles governing the protection
of personal information – during its
processing and use – against loss,
damage and its unlawful or unauthorised
access, processing and destruction are
summarised as following:
• Accountability
• Processing limitation
• Purpose specification
• Further processing limitation
• Information quality
• Openness
• Security safeguards
• Data subject participation
PoPI requires effective data
management structures
Various delays in passing
drafts and awaiting
feedback have so far
led to adherence to the
PoPI regulations being
low on the priority list
for organisations. The
data management that
PoPI requires, however,
should already be in
place, according to Claude
Schuck, Regional Manager
for Africa at Veeam.
www.intelligentcio.com
T
he Protection of Personal
Information Act (PoPI) will
fundamentally change how
companies store, process and use
personal customer data. And even
though it has not yet officially been
implemented, organisations have been
steadily working on ensuring their
compliance to avoid future penalties.
But with the one-year grace period
soon to begin, are businesses taking it
seriously enough and starting to act?
Part of the problem is the fact that while
PoPI has been signed into law in 2013,
delays in passing draft regulations and
getting feedback have resulted in some
organisations putting a low priority on
their adherence to the act. However,
the requirements to comply with PoPI
are comprehensive. For businesses yet
to act, fortune had been on their side.
In August, the Information Regulator
published draft regulations and issued
a call to all interested parties to provide
comments. The deadline for feedback
was 7 November, signifying one of the
final steps before PoPI comes into effect
and the grace period can start.
Despite this, the hype cycle around
PoPI seems to ebb and flow as the
media attention grows and dissipates.
In certain respects, the growth of data
and the pressure to have it always-
on and available, combined with a
INTELLIGENTCIO
29