South African companies doing business with European Union (EU) customers need to consider making changes to their data privacy, technology and oversight processes in the wake of new privacy rules. On 25 May 2018 new privacy rules formed by the EU will be implemented. The General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC.
The new rules will apply to the ‘processing’ of ‘personal data’ by “controllers” and “processors” based in the EU, as well as those located outside of the EU if they provide services and goods to EU customers. The GDPR will also apply to all organisations processing and holding personal data of subjects residing within the EU.
“The GDPR will impact many South African and other organisations across the African continent,” Busisiwe Mathe, Risk Assurance Cyber and Privacy leader, PwC Southern Africa says. “Businesses that do not comply with the GDPR face a potential of up to 4% fine of global revenues, increasing the need for organisations to plan for and implement necessary changes to demonstrate good in the eyes of individuals and regulators.”
South African organisations are awaiting the Protection of Personal Information Act (POPIA). The POPIA is likely to be fully enacted in South Africa in early 2019 and comments on POPIA draft regulations closed on 7 November 2017.
Once POPIA is fully enacted, responsible parties and operators in South Africa, processing personal information will have to comply with POPIA as well as potentially having to comply with the GDPR. The GDPR was introduced by the EU more than a year ago and organisations have been given less than two years to comply with them.
POPIA is South Africa’s first piece of comprehensive data protection legislation. It aims to give effect to the constitutional right to privacy by introducing measures whereby personal information processed by organisations is fair, responsible and conducted in a secure manner.
Mathe adds: “Compliance with POPIA will be a challenge for many organisations. The POPIA compliance journey will require organisations to consider many features within their organisation and strategic vision.” The GDPR and POPIA have many commonalities but also a number of differences, one of the most significant being that POPIA includes “juristic” (business) entities in the definition of personal information – this will significantly increase the scope of personal information and provide additional challenges to comply with POPIA.
“After May next year, EU companies that deal with SA can only do so if POPIA is in place or if the SA companies can satisfy their EU partner that they have adequate rules and policies in place regarding data protection.”
Rav Hayer, Financial Services GDPR Lead, PwC UK adds: “Organisations will have to provide clarity on how customer data is collected and stored. Any breaches of data must be communicated within 72 hours to the responsible regulator, wherever the breech occurred and the subjects reside. ”
The GDPR penalties can be up to 4% of an organisation’s global annual turnover whereas POPIA has a maximum R10 million fine or time behind bars. GDPR penalties are much higher than POPIA. The GDPR penalties stand to hurt companies more financially than POPIA if they ignore them. The reputational damage and loss of customer trust are however important business imperatives to comply with POPIA regardless of the significantly lower fines.
In a recent survey conducted by PwC, nearly all of the respondents (92%) considered compliance with the GDPR a top priority on their data-privacy and security agenda in 2017 – with over half of respondents saying it is “the” top priority and 38% saying it is “among” top priorities. The GDPR Preparedness Pulse Survey examines preparedness and why companies are willing to spend $1 million or more on GDPR readiness plans.
PwC surveyed 300 Chief Privacy Officer, Chief Information Officers, General Counsels, Chief Compliance Officers, and CEOs in US, UK, and Japanese companies about their GDPR programmes.
Only 8% of UK companies have finished all their preparations compared to 22% of US companies. “This is likely to be because the US‘s data privacy regulation is currently a lot more stringent than the UK. In the past the ICO hasn’t been as firm as US regulators as our data privacy law isn’t currently enforceable,” Hayer adds.
While many organisations have already begun this process with a range of compliance efforts, many are still in the assessment phase. But despite their status in preparing to comply with the new regulations, most US Companies are already planning to invest in GDPR. According to survey respondents, over three in four (77%) companies plan to allocate $1 million or more on GDPR readiness and compliance efforts – with 68% saying they will invest between $1 million and $10 million and 9% expecting to spend over $10 million to address GDPR obligations.
Survey results also found that information security enhancement is a top GDPR initiative. While much of the discussion has focused on the law’s privacy-centric requirements, information-security obligations figure prominently in GDPR plans of US companies. Among the 71% who have begun GDPR preparation, the most-cited initiatives in flight are information security, privacy policies, GDPR gap assessment and data discovery.
What should you focus on if you haven’t started your GDPR programme?
PwC found that 5% of UK companies have not started preparing for the GDPR. With less than seven (7) months until the compliance deadline, these organisations risk regulator fines, litigation costs, and lost contract opportunities.
The biggest risk for organisations is likely to be third parties, so it is essential that organisations check that their third party contracts are GDPR compliant, Hayer comments.
How much can organisations expect to spend on their GDPR programme?
Of those companies that have completed their GDPR programme, 40% of US, UK and Japan reported spending more than $10 million. The pattern of increased spending was consistent regardless of company size.
Driving competitor advantage – The GDPR and investor relations
The survey found that some companies see their GDPR programs as a potential differentiator in the market. Among companies who believe they have finished their GDPR programmes, 38% have engaged their investor relations departments, an indicator that they hope to highlight early compliance to help drive competitive advantage. These companies should also look to extend this confidence out to their customers to strengthen customer trust in their business and also test their position in advance of the GDPR going live.
“The ‘compliance journey’ involves innumerable challenges and the task is complicated. Entities may find that they have difficult choices to make about their priorities moving forward. Making changes to ensure compliance with the GDPR will require considerable resource investments and lots of planning,” concludes Hayer.