The last thing that you probably want to do is read another article on GDPR, right?
A lot has already been written on the topic but all articles on this GDPR thing are pretty long, technical, boring and they’re probably written by lawyers!
If you haven't bothered to read up on it don’t worry we’ve got you covered, by the end of this article you’ll know exactly what it is, why it has been introduced and what you should be doing about it!
Ready, let’s go!!!
Let’s start off with what is GDPR anyway?
GDPR is a new regulation which has been introduced to replace an older regulation which is called the 1995 EU Data Protection Directive by the European Union (We shall call them the EU from here on).
It’s been put forward to drastically increase the protection of the personal data of EU citizens and to increase the accountability of companies who collect and/or process personal data.
It’s not a totally new legislation as such, because it builds on the old one from 1995 but this one now includes several new provisions that better protect the rights of EU citizens and it has harsher penalties for violations if companies don’t follow this new regulation.
Why did they introduce the GDPR?
The regulation from 1995 was very limited in its scope and only applied to people within the EU but that was over 20 years ago, before that dawn of Facebook, Twitter and selfies.
Times have changed and technology has advanced so much that policies and regulations need to be updated to keep up with these changes!
The GDPR is a far reaching piece of legislation, because even though it’s designed to protect EU citizens, your company will be affected if you’ve ever sold a product or service to someone who is an EU citizen, if you have employees based in the EU, if you offer goods or services to an EU member state or if you have a partnership with an EU state.
The GDPR puts the power back in the hands of the people by ensuring that companies are transparent in how they collect, use, share and store people’s confidential information.
The result of this is that organisations will now make the protection of data a top priority, they will have to take personal data as seriously as they take their own trade secrets.
But doesn't South Africa have its own version of GDPR?
Yes, we do and it's called the Protection of Personal Information Act (called POPI from here on out because we’re not lawyers)
POPI, much like the GDPR holds businesses accountable for personal data protection.
It regulates the way businesses collect, process and store people’s data such as names, addresses, ID and passport numbers.
South African businesses must operate with a dual attack strategy, they must put processes in place to become POPI compliant and at the same time they must also keep GDPR front of mind.
The good news is that GDPR and POPI are almost the same in their application because they have a lot of areas that overlap.
This means that companies who are already working towards POPI compliance won't need to start again from scratch but certain changes will still have to be made so that they become GDPR compliant.
Why compliance will prove challenging for most companies!
If you are anything like me, you’ll struggle to even develop an email filing system, so imagine what a challenge it will be for companies to establish an inventory of what data is being collected, used and stored across the business!
To do this, data will have to be identified and cataloged, while maintaining a recording a data lineage.
Data security will also become one of the main focus areas of any business that deals with personal data.
Organisations will need to protect their networks against breaches and have systems in place to inform affected individuals and authorities if any data is ever compromised.
This is impossible if you don't know where the data resides because you will not be able to prove whether and how well you were protecting the data.
So what happens if you aren't GDPR compliant?
First, you will be reported to a local Data Protection Authority in an EU country.
The DPA will decide whether you are compliant or not.
If you aren’t, you will be asked to get your house in order and become compliant.
Failing to do that you will be liable to a fine.
The penalties of non-compliance are jaw dropping and would result in you having to part with 292 million of your hard earn ZAR, either that or 4% of your company’s annual global revenue, whichever is higher!
Losing this amount of money would surely guarantee the death of the majority of companies.
But should your company have deep pockets and a fat wallet you must also consider that they will also publicise the details of any breach committed, then the amount due to the loss of reputation becomes immeasurable.
So the question is...
‘What can you do if you want to be compliant?’
The first thing is to realise that the deadline has passed but you should still work toward becoming compliant because the longer you wait the more likely it is that you may get sanctioned and becoming compliant takes time, so if you haven't started you should get started right now!
Here is a quick summary of the steps you should take toward becoming compliant:
- Start by identifying all the stakeholders and the fundamentals that must be in place for you to be able to put together a framework to follow so that you can start complying with the regulations.
- Find out what activities that need to be performed on data within the organisation. This will involve analysing and understanding the flow of data within the organisation in other words how information enters the organisation, where it is stored, who processes it, who it is shared with, how it is removed and so on…
- Determine what a GDPR compliant company looks like and what your company currently looks like then put plans into place and execute on these to get your company to compliance
This was just a summary but you should really read deeper into the topic here.
The last important point is to make sure that your workforce is aware of and educated about the legislation. If employees are not aware of their obligations, they become the biggest risk for noncompliance.
And always remember that even after implementation, compliance should remain an ongoing process.
Let us know what value you got from the above and how you will apply it! In the meantime why don’t you dive into some more digital marketing hacks and take all your efforts to the next level!