What can we learn from the GDPR?

The European Union Privacy Law, the General Data Protection Regulations (GDPR) went into effect on 25th May 2018.  Even if you don't follow the GDPR or POPIA, and aren't really interested in Privacy Laws, you will have been affected.  Users of Facebook, LinkedIn, any other social media platform or any online tool will have received notification from them that their Privacy Policies had been changed, and you need to acknowledge that you understand the new terms and conditions.  Other than this immediate requirement, we noticed a few other things.  

Time taken to get ready for GDPR, (and POPIA)

Up until the very last day, we received notification that organisations had now implemented new policies, procedures and processes in accordance to GDPR.  Why is this significant?  Many of these organisations were very large, very well known entities, with massive infrastructure and IT budgets.   If these organisations left it to the last minute, and then had to scramble to meet the deadlines, there is a strong chance you'll be in the same position.  For many of them, it wasn't so much that they left it to the last mninute, but rather that they underestimated the amount of effort required.  With large infrastructure comes large, complex systems, with many touch-points for Personal Information.  The key learning here is that it will take longer than you anticipate, and will probably need more resources, especially in time, manpower and money, than you expected.  In the interesting Crowd Research report, https://crowdresearchpartners.com/portfolio/gdpr-compliance-report/ over half the organisations researched wouldn't be ready by the deadline.

Don't understimate the resource requirements

The report cited the following key reasons for not being ready in time:

  • lack of expert staff (43%),
  • lack of budget (40%),
  • limited understanding of GDPR regulations (31%).

It is expected that South African organisations will will follow a similar trend.  In our discussions with all sizes of organisations, we are hearing similar comments.  Even when expert staff exist, they are spread thinly and are not available to devote enough time to the POPIA project.  POPIA isn't purely about the law, and experts need to be gathered from various disciplines, including ICT, Records Management, Information Security, Legal, Marketing, HR and change management, and the Business functions.  All of these disciplines must provide input if the implementation is to be comprehensive and successful.  

Don't underestimate the complexity of POPIA

In another fascinating article published by Bloomberg in Information Management (online) we noted the following: https://www.information-management.com/articles/blocking-500-million-users-easier-than-complying-with-the-general-data-protection-regulation?utm_campaign=security%20briefing-may%2029%202018&utm_medium=email&utm_source=newsletter&eid=f90702d8557f7779c24c2e8aeb5bfd88  

For some of America’s biggest newspapers and online services, it’s easier to block half a billion people from accessing your product than comply with Europe’s new General Data Protection Regulation.

The Los Angeles Times, the Chicago Tribune, and The New York Daily News are just some telling visitors that, "Unfortunately, our website is currently unavailable in most European countries."

If one considers the size of some of those publications, then this has to tell us that the tentacles of privacy are very far reaching.  Almost all organisations have websites, and if the website is read in Europe, and especially if it is a subscription-based site with users from all around the world, the cost of compliance may be very high.  For these newspapers, the risk of not complying is considered so high, that the service is no longer available, even if only temporarily. 

GDPR compliance is a great starting point for South African organisations who are embarking on the POPI Act journey

Complying with the GDPR is not a simple task, and neither will be complying with the Protection of Personal Information Act (POPIA).  But sadly it is unavoidable and can't be ignored.  Privacy is a serious issue and needs to be taken seriously.  Until the South African Regulations are finalised and in force, local companies are encouraged to look to the GDPR as guidance.  Whilst there are some clear differences in requirements, the principles are the similar.

The earlier you start, the easier it will be

Whilst this sounds like a trite statement, the reality is that those who start preparing now, will have the ability to implement relatively easily, and without the stress and mistakes that come with the last minute rush.  

You don't have to do it alone, or reinvent the wheel

There are some very skilled organisations out there who can assist in all aspects of implementing POPIA.  We have gathered a team of specialists who can assist, and have compiled a set of instruments that will speed up the process, without you needing to start form scratch, or re-inventing the wheel.  Contact us to find out how we can fast-track your process and reduce the costs and time taken to be compliant, at the same time as possibly improving business processes.

 

GDPR Article 1: Implications for POPIA 

 

Protection of natural persons and their right to privacy is enshrined in the Constitution. The Protection of Personal Information Act  (POPIA) is South Africa's Privacy law and introduces requirements for the processing of Personal Information.

Regulations to the Act are expected to be finalised in early 2018 and will provide detail regarding what organisations need to do in order to comply.

If a South African organisation conducts business with an EU organisation they need to understand the implications of the GDPR.  Any cross border flow of information to and from the EU should be considered.

 

The Protection of Personal Information Act (POPIA)  gives effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations.

 

The Protection of Personal Information Act (POPIA) includes provision for justifiable limitations including:

(i) balancing the right to privacy against other rights, particularly the right of access to information; and
(ii) protecting important interests, including the free flow of information within the Republic and across international borders  

South Africa is following the GDPR quite closely.  By implementing according to the GDPR, organisations should be comfortable that they are largely compliant with the Protection of Personal Information Act.  It will still require tailoring to our specific requirements, but GDPR forms a great starting point.

Click on the item below to see the details

  • Article 1 – Subject-matter and objectives-Actions

     GDPR Article 1: Actions to take

     

    Understand the POPI Act, the Regulations when completed, and take every action to comply to the Act. 

    Follow our list of POPI Act compliance actions which will be updated on a regular basis.

    Subscribe to our newsletter and update database  

     

     

  • Article 1 – Subject-matter and objectives-POPIA implications

    GDPR Article 1: Implications for POPIA 

     

    Protection of natural persons and their right to privacy is enshrined in the Constitution. The Protection of Personal Information Act  (POPIA) is South Africa's Privacy law and introduces requirements for the processing of Personal Information.

    Regulations to the Act are expected to be finalised in early 2018 and will provide detail regarding what organisations need to do in order to comply.

    If a South African organisation conducts business with an EU organisation they need to understand the implications of the GDPR.  Any cross border flow of information to and from the EU should be considered.

     

    The Protection of Personal Information Act (POPIA)  gives effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations.

     

    The Protection of Personal Information Act (POPIA) includes provision for justifiable limitations including:

    (i) balancing the right to privacy against other rights, particularly the right of access to information; and
    (ii) protecting important interests, including the free flow of information within the Republic and across international borders  

  • Article 1 – Subject-matter and objectives-GDPR

     GDPR Article 1: Rules relating to the protection of natural persons information

    This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

    This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

    The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.  

 GDPR Article 1: Rules relating to the protection of natural persons information

This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.  

Page 1 of 2