South African businesses might be under the impression that the General Data Protection Regulation (GDPR) does not require their attention because it will come into effect across the European Union (EU) – but they are mistaken. Europe’s sweeping reforms to data protection will change the business landscape for local and African businesses because the reality is that in this connected world, we do not operate in a bubble.
Businesses in South Africa (no matter their size) are also operating in Europe and according to the new regulation (which comes into effect on 25 May 2018), any company that holds information about a European citizen must comply. Additionally, “if your company offers goods or services to individuals in the European Union or monitors their behaviours there, it will most likely need to comply,” states IT News Africa.
If you sell goods through an e-commerce website, sell software development or offshore call centre services, you will have to ensure that GDPR regulations are met. The regulation aims to emphasise the duty of third-party suppliers handling personal data to ensure they are compliant. Here is a breakdown on how to ensure your company remains on the right side of the GDPR.
What constitutes personal data?
GDPR compliance will be different for each business. It all depends on how you use personal data. Any piece of information that’s used to identify an EU citizen is characterised as personal data. It can be as simple as an email address and ID number, or more ambiguous data points like biometric data, location information and IP addresses. This pertains to all personal information collected before 25 May.
Your business can process personal data under these conditions:
- Consent: The data subject has given consent.
- Contract: Your business may process data to fulfil a contract.
- Legal obligation: Process data when your business is required to comply with applicable laws.
- Vital interest: When your business is permitted to process personal data, i.e. medical reasons.
- Public task: When it is in the public interest to do so.
- Legitimate interests: Process personal data as part of a legitimate reason.
Key requirements of the GDPR
- Data processing must be lawful, meaning that data must be used for the legitimate purposes for which it was originally collected.
- Limit data storage. Only collect data absolutely required for its purpose. Once the purpose has been fulfilled, the personal data must be deleted. This is a tricky one since companies might require the information at a later stage. Consent from the data subject must be given if you intend to process personal data beyond the legitimate purpose.
- Subjects are within their rights to ask companies what data they hold on them.
- Ensure confidentiality. Process data with appropriate security measures in place to ensure data cannot be tampered with or modified.
- Data subject should be informed within 72 hours of a data breach. Put procedures in place to detect, report and investigate a data breach.
- Be transparent with the data subject regarding the processing of their data.
The Information Commissioner’s Office has drafted a useful document on how to prepare your business for the GDPR.
What happens if your business doesn’t comply?
Businesses must prepare themselves before the regulation takes effect because there is no grace period or crossover time. Since this is of paramount importance, and one cannot afford to miss a requirement, we strongly recommend all businesses to seek their own legal advice to ensure compliance. Non-compliance could result in hefty penalties.
Ensure compliance with digital regulations
SynergERP has been a Sage Platinum Partner since 1993. Sage is ready for the GDPR because it leads the way in modelling best practices for compliance. All Sage products and services adhere to compliance regulations set out by the GDPR. Read here to learn more about their compliance.
Companies can use technology to help them make sense of their data. Large amounts of data can be stored and correctly identified. It also makes data quickly searchable when requested.
If you’re in the market for an ERP system that’s compliant with the GDPR data regulations, look no further. For more information, download our comprehensive brochure.