When the General Data Protection Regulation (or GDPR) was unveiled in May 2018, it provided a complete overhaul of how EU companies acquired, processed and managed customer data. Interestingly, these regulations also impacted on international firms that catered directly to EU citizens, meaning that companies based in Africa and Asia were also compelled to reply.
This comprehensive regulatory measure provided an upgrade to the longstanding Data Protection Act, whilst making clear provisions for the export and transfer of personal data outside of the EU and EEA regions. This has caused some issues for South African businesses, which in turn has raised the risk of non-compliance and potential financial sanctions.
We’ll explore this further below, whilst asking why South African firms are the most likely to struggle when implementing the GDPR.
South Africa and the GDPR – What are the Main Challenges?
One of the main issues in South Africa revolved around clarity, with the region’s data protection provisions already governed by the Protection of Personal Information Act 4 of 2013 (POPIA).
In fact, Europe’s GDPR framework could even be described as a first cousin to the POPIA legislation, and whilst the latter has only been partially implemented it currently applies to all organisations operating within the boundaries of South Africa.
So, if you own a South African-based business which boasts an international customer base that includes EU residents, you’ll need to comply with both pieces of legislation whilst also maintaining operational efficiency.
For the purposes of compliance and international trade partnerships, this also means that the unique terms of both the POPIA and GDPR must be read together. Of course, this is helped by the fact that the former has been largely modelled on the structure of the latter, but it still creates regulatory challenges that businesses must strive proactively to overcome.
Of particular concern is the additional data protection requirements included in the GDPR, which were not previously featured as part of the previous EU Data Directive or the POPIA legislation.
Similarly, there are some aspects of the POPIA that are more detailed than the GDPR. For example, the POPIA framework protects the data of both natural and juristic persons in the South African region, whereas the GDPR only safeguards the information provided people or individuals.
How to Overcome These Challenges
The financial services sector is arguably struggling the most to comply with these frameworks, whilst this marketplace also has the most to lose through non-compliance.
These firms also collate data from across the globe, so there’s a pressing need for them to be proactive when enforcing the GDPR and POPIA and safeguarding the data of their clients and partners.
In terms of overcoming these subtle but often important challenges, it’s imperative that firms seek out expert guidance from international consultancy firms such as RSM. After all, these companies are well-versed in compliance issues and the challenges facing South Africa businesses, whilst they’re well-placed to provide detailed information for each individual client.
Make no mistake; South African firms have been relatively slow to implement GDPR laws, even more than a year after the legislation was first rolled out. However, it’s important to recognise the additional challenges in this region, before developing ways of helping businesses to comply across the board.