Ahead of the pending enforcement of the Protection of Personal Information (POPI) and General Data Protection Regulation (GDPR) legislations, organisations are hurriedly carrying out compliancy strategies and tightening up their data security processes.
While this is undoubtedly a good thing, as data security should be a top-of-mind concern for any company that handles personal information, are organisations taking on too much unnecessarily?
GDPR is being put in place to strengthen the protection of the personal information of all European Union (EU) citizens, the parameters of which extend to any organisation who conducts business with, or within, the EU, or who holds the data of any EU citizen outside of its borders. Our local variant, PoPI, is coming into effect in order to ensure measures are put in place to hold local organisations, and those doing business with them, accountable for the security and integrity of personal information belonging to any South African citizen.
There are overlaps between both legislations and, while compliance with both are being encouraged, it may not necessarily make financial or business sense to do so.
Are they both necessary?
Many organisations are diving headlong into their compliance strategies without first considering what they mean; without completely understanding the impact compliance will have on their businesses, financially and operationally.
It is critical that companies first evaluate the necessity to comply with both legislations against their current business strategy as well as their future roadmap.
Compliance can be an expensive and arduous process, especially if the proper research is not done. Over and above the costs of actively ticking the boxes for compliance and the audits required to verify these processes, there may also be large financial and time investments spent in re-organising and redefining business and operational processes and procedures.
This can take several months to accomplish and may even require the hiring of additional, specialised personnel, the purchasing of specific hardware and software, and – of course – establishing proper security measures.
Many businesses are taking a stance of complacency, opting to wait until PoPI is enforced (or a date for enforcement has been set), with some even deciding to remain non-complaint after enforcement – until something goes wrong.
The trouble with the former is that compliance can take a long time to accomplish, and businesses may run out of time if the deadline is sooner rather than later. The latter may make sense to some, however once PoPI is in effect, if organisations are caught out for being non-compliant or a data breach occurs, they could be liable for severe fines and even imprisonment. The risk is simply not worth it.
While PoPI compliance is unavoidable for organisations operating within, or from, South Africa, businesses need to weigh the costs and impacts of complying with GDPR unless it is necessary for business perpetuity, both immediate and in the future.
What’s the difference?
South African organisations who do business solely within our borders and have no plans to expand into European markets within the next two to five years may be best served by putting GDPR compliance on the back burner for the time being.
After all, why spend money that could be better put to other purposes, such as development or innovation, when it doesn’t make sense?
Of course, if South African organisations intend on extending business to European markets in the near future, they will have no recourse but to ensure that they comply with GDPR as well as PoPI. However, this should be done in a logical, step-by-step approach. Although GDPR has a committed enforcement date set for May of next year, PoPI compliance is more critical to sustain local business operations.
From a local perspective, organisations should be addressing PoPI first. However, organisations should still look at the overlaps and address those for both PoPI and GDPR simultaneously, ticking off the necessary boxes for GDPR as they work through their PoPI compliance. The remaining GDPR requirements can be met as and when the organisations determines to move into EU markets. This will ensure that the business saves money as well as time, directing their resource flow with more focus.
Local businesses who are already immersed in EU markets will find themselves needing to comply with both. Again, an evaluation of the benefits and costs should be thoroughly investigated. For some businesses, depending on the extent of the investment required, costs of complying with GDPR may outweigh their income from EU customers.
Where to start?
Above all, organisations need to understand the impact of compliance on their environment to better manage the process, and keep it as simple as possible.
They should engage with the right people to assess their businesses and help them develop a strategy, based on best practices that will simplify compliance for them while avoiding anything unnecessary.
Compliance is inevitable. It doesn’t have to be complicated.