In 2016, the European Union passed new legislation with regard to the processing of personal data, which came into force in May 2018. The new rules would replace provisions that dated back to the 1990s and were rendered largely obsolete by rapid technological developments like big data and the cloud. As things stand, the EU has implemented one of the most comprehensive and strict set of rules which regulate personal data with a clear focus on privacy – and African businesses need to pay attention, because the new legislation could apply to them, too.
How to Protect Personal Data Effectively
It is no secret that data is the currency of our modern digital world. This means that companies are holding and processing an ever-increasing volume of personal data, which makes data protection policies a top priority. Data protection strategies can help businesses and organisations monitor data across mainframes, relational databases, big data platforms, or even hybrid cloud environments and get alerted to suspicious activity in order to prevent hackers from gaining unauthorized access. Implementing proactive technical measures like monitoring mechanisms, as well as data encryption and data masking, can successfully protect against data breach incidents. It can also help companies comply with requirements set out by regulatory authorities and supervising bodies – or, in this case, by the new General Data Protection Regulation (GDPR), which was adopted by the EU.
The GDPR obliges businesses and any other type of private entities that process data and fall within its scope of application to take such technical measures to ensure that they achieve a high level of data protection. Companies also need to take organisational measures, such as conducting regular privacy impact assessments and setting up specific strategies to respond to data breaches. At the end of the day, the underlying aim of the GDPR rules is to make sure that policies that safeguard privacy will become commonplace within the lifecycle of an organization’s activities. This is why it provides for the “privacy by default” principle, which mandates that only personal data which are strictly necessary for a specific purpose will be processed by default, as the European Data Protection Supervisor explains. Companies are also given a deadline of 72 hours from the moment they discover a data breach until they have to report it to the authorities, while they must also inform individuals whose personal data was compromised by the incident and come up with a containment plan.
What Does the GDPR Mean for Africa?
What does this all mean for African companies? First of all, the GDPR is an important example of what African countries could aspire their data protection legislation to become. The World Wide Web Foundation has stressed this opportunity for Africa to raise the bar, as in most countries are still lacking in relevant rules, while others have passed laws but do not enforce them. And unless African governments step up and accept this challenge, their nationals risk becoming what the Foundation has dubbed “second-class digital citizens” when it comes to the right to privacy.
The current situation in the African continent has seen some countries set themselves apart, like Ghana, which has passed its own Data Protection Act in 2012. South Africa is another good example, with its Protection of Personal Information Act, which in some respects mirrors the concepts that form the bedrock of the GDPR rules. But although it was enacted in 2013, the POPI Act is still not enforced.
Angola, Morocco and Mauritius have also passed their own data protection rules, but the overall picture across the region remains bleaker than it should. As new initiatives emerge that push for data protection reform, the GDPR is bound to be a push in the right direction – not only as a legislative paradigm but also through its direct applicability to African companies. Although the GDPR was enforced by the EU, its scope reaches further and includes companies which process personal data with regard to offering goods or services to EU residents -even for free- or to monitor their behaviour.
Businesses which do not comply are subject to hefty penalties which can reach a maximum of €20 million or alternatively 4% of their annual global turnover – whichever is the highest.
African companies that source personal data from the EU are forced to comply with GDPR requirements. While that may be perceived as a hassle, it is also a good thing, as it could foster a culture of data protection that is unfortunately still lacking for most industry sectors.