The General Data Protection Regulation (“GDPR”) is created by the European Parliament, the Council of the European Union and the European Commission, to consolidate and unite data protection for EU citizens.

The GDPR governs any data processing activities performed by a controller in the European Union (“EU”).  The GDPR furthermore applies to all processing of personal data of persons living in the EU, even if the entity that processes the data is not in the EU.  Thus, if any entity offers goods or services to EU citizens or monitors their behaviour, they must comply with the GDPR.

As of 25 May 2018, organisations that have not yet taken the necessary steps to ensure that they comply with the GDPR could be strictly penalised.

Although the GDPR is an EU regulation, South African organisations should nevertheless comply with it.  South African companies must take the GDPR, which is one of the most important changes in privacy regulations in 20 years, very seriously.

The GDPR, in line with its risk-based approach requires organisations to take responsibility for the way in which they process information, especially personal information. The penalties for a breach under the GDPR can be a fine of up to 4 percent of their annual turnover or € 20 million, whichever is greater.

The inevitable fact is that any South African company dealing with personal data relating to the EU must comply with the GDPR and, if this is not done, they may face the same major consequences as the EU organisations for non- compliance.

GDPR applies to any South African organisation that holds or processes data about EU citizens, regardless of the location of the headquarters.  These include companies that have employees in the EU, sell or market products or services in the EU, or partner with EU organisations.

In addition to the GDPR businesses operating in South Africa must also comply with the Personal Information Protection Act 4 of 2013 (“POPI”). POPI’s goals are to regulate the processing of personal information and data protection to align South African data protection laws with international standards.  Although businesses operating in South Africa need to be focused from a data protection perspective to put systems in place to ensure compliance with POPI, they should not neglect the (GDPR). POPI’s penalty for non-compliance is a fine of up to R10 million or 10 years’ imprisonment.

The GDPR will be applicable where businesses in South Africa:

  • have employees based in an EU Member State;
  • offer goods or services in an EU Member State;
  • has a partnership with an EU company; and
  • business Process data of an EU member citizen or temporary resident.

Yes, South African businesses should comply with the GDPR because businesses operating in South Africa must be aware of the fact that the GDPR applies in EU Member States as well as where data is transferred to, or transferred from, the EU- thus impacting South African organisation.

30 May 2018