There is a buzz about data protection and privacy and what that means for business.
South African companies who have customers in the European Union who have been asked to ‘comply’ with the European Union General Data Protection Regulations (EU GDPR), will find the legislation is comprehensive (and scary) and is due to be implemented in May 2018.
South Africa has been a little slower than other countries when it comes to living and working in the online space. But we are rapidly catching up and as we move more and more into the online world so business is asking more of consumers in terms of handing over their information – not always ethically, I might add.
It is up to Government to ensure its citizens are not completely exploited and in SA, this takes the shape of the soon to be implemented Protection of Personal Information Act 4 of 2013 (POPIA).
But South Africans don’t just do business locally. We are often approached by South African companies who have customers in the European Union who have been asked to ‘comply’ with the European Union General Data Protection Regulations (EU GDPR).
The problem with EU legislation (and as South Africans we don’t really expect this) is that Europeans generally do what the laws require of them. The EU member countries are generally better at enforcing their laws and so non-compliance with laws in the EU is a very different risk to non-compliance with South African legislation (POPIA).
Often the South African company takes the path of least resistance – just agree to the contract and say you will comply with the EU GDPR, after all who will know? The problem with this approach is that the EU is aware of this tactic and has come up with a fairly diabolical way of combatting it.
The EU Data Protection Authorities (EU DPA) are empowered to fine the EU company 4% of its global (pre-tax) income and that fine will be levied against your customer (who will then pass this on to you through your contract). What’s worse is that the EU company needs to not only have the contract with you, but it also has to check (audit) that you are complying with the EU GDPR.
What do you do?
This puts South African companies in a bit of a bind. It is no longer possible to ‘close your eyes and think of England’ when signing the contract with the EU company, you actually have to do what it says. So que paso? (What do you do?)
When the South African companies come to us the first issue we tackle is whether the South African company is a data processor (operator in terms of POPIA) or a data controller (responsible party in terms of POPIA).
If the South African company is a data processor then the responsibility to comply with the EU GDPR is actually on the EU company (not the local company) and the only way this becomes the local company’s problem is when the contract makes it so. In other words, the terms of the contract are really important. The roles of the parties are also important because it is not reasonable to expect the data processor (SA company) to comply with all the aspects of the EU GDPR. That job is for the data controller (EU company).
All of this brings us back to the basic strategy we always adopt when dealing with EU companies that want SA companies to comply with the EU GDPR. It is fine for the EU companies to ask the SA companies to comply with parts of the EU GDPR, but there are two requirements that the SA companies must insist on:
- The SA companies must not commit to over-complying with the EU GDPR for the EU company – only the parts of the EU GDPR that they must comply with must be included, and
- The SA company must insist on getting granular detail on exactly what the EU company expects them to do. This is critical as there is little doubt the the compliance is going to cost the SA company some money and so, not only must we manage legal risk, but there is also a need to manage cash flow in terms of human capacity, time, processes and profitability.
Any other approach will lead to gran problema.