The EU’s General Data Protection Regulation (GDPR) officially came into effect on 25 May 2018 and this policy affects every organisation regardless of size or structure. GDPR extends well beyond the borders of the EU, also preventing European organisations from sending data to other countries unless they are sure that GDPR equivalent data protection laws are in place.
Every organisation will need to adopt an ongoing plan for data monitoring and protection and African companies are no exception. These plans must be flexible enough to take into account the continuously shifting data landscape and will require involvement from all areas of the business – not just the IT department.
To further elaborate on this, IT News Africa interviewed Mike Resseler, Director of Product Management at Veeam, who discussed what companies can expect in the coming months following the GDPR enforcement date. He also spoke on what GDPR means to companies in Africa, the building of a compliance programme, continual improvement and training, as well as how the PoPI Act aligns with GDPR.
1. What can organisations expect in the next months following the GDPR enforcement date?
To be quite honest with you, the 25th of May was just the starting point, not the end goal for compliance. After several generous years of grace period, really, businesses have no excuse to not have put in place the requirements to ensure they are compliant with GDPR. Yes, it might seem a bit arduous for some businesses, but GDPR was driven to protect consumer rights around data, not to support business. While we still await the first major fines to be delivered, it is a case of when not if.
The consensus amongst businesses I’ve spoken with is that they’re waiting for someone to fall victim and take their cues from there. Organisations worldwide appear to be waiting to see who falls foul first, and how they can avoid making similar mistakes and suffering similar penalties. There is some ambiguity around how some of the GDPR articles should be met, but this isn’t a reason to stand still.
Our message as a company that has to be both GDPR compliant as a business, and aid companies with aspects of GDPR is that you should work to the EU guidelines as they are so advanced compared to other data protection acts. If in doubt, level up your data management processes and avoid the potential for fines and penalties.
2. How do you know if you must comply?
There’s a simple answer to this. ‘Do you have employees based in Europe or have European customers?’ If so, then you need to be compliant. GDPR has a profound impact on all organisations that are responsible for processing and storing personal European Union (EU) citizen data.
The first essential step that you need to take is to determine if your organisation has personally identifiable information (PII) of an EU resident. You must look at more than just customer or external data. Within your organisation, your employee’s data (mostly with HR) is also categorised as PII. If you employ any European employees, it means that you need to be adhering to the regulation for this data. The ’employees as a data subject’ aspect is actually an area many businesses have reportedly overlooked. The UK and some other countries have had this covered for some time in its Data Protection Act, but all countries have until now been operating differently.
3. How do you make sure you do comply?
From our own experience of becoming compliant, we’ve created and shared information with our customers and partners online so they can learn from what we did. Essentially it comes down to five key principles or steps, which are as follows:
(1.) Make sure everyone is aware: Some businesses and organisations are required to appoint a designated Data Protection Officer (DPO). Even if not required for the specifics of their business, to do so is smart thinking. Not only can a DPO be a useful expert, they can also be a data privacy and data management advocate, getting the entire company on board with best practices. Moreover, they’ll be able to recommend the right kind of tools to bring on board that will aid with data management, in the event that the business is attacked.
But even for those businesses who aren’t making a DPO hire, it’s worth remembering that the GDPR is a company-wide issue. This means you should be making sure that all the key stakeholders in your organisation have a solid understanding of the implications and requirements of the new regulation and how it will affect their own processes.
(2.) Conduct a data audit: By now, every business should know what personal data it holds, where it’s stored, how, and where it came from. They also need to know why they’re holding it and how they came to have it. Any or all of these questions might be asked by local GDPR enforcement agencies. Organisations have to justify the legal basis behind their data processing activities. The authorities are not going to be lenient on businesses that suffer breaches and are unable to back their data hosting up to ensure its safety. The fines are real, and soon enough there will be an example that proves it.
(3.) Review personal privacy rights: One of the big changes the GDPR is bringing about is greater citizen rights when it comes to data. Beyond being forgotten, people will also be able to access data, or to request it for themselves (in a format they can digest). To ensure this right doesn’t become a time sink for your organisation, you should make sure you have a way to tag the location of each data point so you can access it when necessary. It’s a small change that could yield big-time dividends.
(4.) Have a plan for data breaches: Under the rules of the GDPR, organisations must report data breaches within 72 hours of discovery. That doesn’t leave long, especially when you consider that the hours after a breach will be a fraught time, with lots of different investigative and firefighting activities going on. As such, it’s key to make sure you have the right plans in place, which will allow for the detection, reporting and tackling of a data breach, should one happen. Here, additional reporting software can help. Tools which allow businesses to add clarity to the location of backup repositories can save time with compliance reporting. And, should data become unavailable because of malware, recovery software can easily make data available again.
(5.) Keep on improving: Of course, it’s good to have plan, but it’s even better to leave room for continued improvement. Particularly where the availability, quality and safety of data are concerned; and when data is fast becoming the most prized asset of our time. Considering the fast-paced world we live in, it’s likely that the digital landscape will change in the coming years – even more so than the last decade. As such, it pays to be able to evolve with the times and to test, trial and evolve with technology.
4. What are the consequences of non-compliance?
The fines are colossal: up to 4% of annual global revenue, or EUR20 million – whichever is higher. It’s essential you make sure your business complies. If in doubt, it’s worth double, triple and quadruple checking your business is compliant. The risk of non-compliance and the resulting fine is too great to take your chances on.
5. What about the Protection of Personal Information Act (POPI)?
The Protection of Personal Information Act (PoPI) has been signed into law in 2013, but delays in passing draft regulations and getting feedback have resulted in some organisations putting a low priority on their adherence to the act.
However, companies have to find a common ground to comply with multiple data protection laws. Simply put, fall foul of the regulatory environment, whether it is GDPR or PoPI, and the financial and reputational impact could potentially force your business to close its doors.
6. What should regulators look out for?
Regulators will be looking at the personal data management of the organisation, therefore businesses need to go about protecting their processes with a ‘privacy by design’ approach. This entails embedding privacy and data protection into business practices so that personal data management is considered in the early stages of any project and throughout its lifecycle.
Regulators may likely look at whether a company can demonstrate that it knows where all stored personal data is located and that it has a clear plan to mitigate personal data breaches.
We can speculate on the type of organisations that may get stung first. It’s safe to rule out the public sector, for fines could easily bankrupt many essential services. Yet other sectors may not be so lucky. To stay protected, all organisations need to treat GDPR as an ongoing project – not just a one-time event.
7. How does the GDPR align with the Protection of Personal Information (PoPI) Act?
There are many similarities between the GDPR and the PoPI Act and while the PoPI Act commencement date will more than likely be at the end of this year, the GDPR may very well influence amendments to it to bring it more in line with the GDPR.
Whether it is PoPI, GDPR, or something else entirely, organisations must constantly evaluate procedures for data privacy and protection, and test and refine their protocols as their digital business evolves.