Small businesses across Europe are being warned that they risk enormous fines if they ignore an overhaul of data protection rules that will affect organisations of all sizes.
The biggest change in a quarter of a century in how companies process information, such as customer lists and employee records, comes into force next May, yet there is little awareness among smaller organisations.
The general data protection regulation, which emanates from Brussels, is designed to hand control of personal data to individuals rather than organisations. A survey of more than 1 000 small companies, commissioned by Irwin Mitchell, a law firm, found that 78 percent had not heard of the new rules, while 86 percent were not aware of the threat of fines. Only 11 per cent had started preparing for it.
Businesses must be much clearer on how customer data is collected and stored, they have to make it easier for customers to tell organisations to “forget” them and must provide greater protection for children. Any data breaches (as a result of hacking, for example) must be communicated within three days to the Information Commissioner’s Office, the data protection regulator.
Companies will be required to obtain an unequivocal “positive indication of agreement” to personal data being processed. Silence will no longer count as consent. Personal data means a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address. Organisations that fail to comply can be fined up to 4 percent of their annual global turnover, or €20 million, whichever is larger.
Matthew Pryke, partner at Hamlins, another law firm, said: “Too many businesses are complacent. Those who leave it to chance and don’t prepare now could be left high and dry if the ICO finds that businesses breach regulations. Given the ICO will need to fund its operations via these fines, it seems inevitable for examples to be made and hefty fines imposed as soon as the legislation comes into force.”
The European Union says that the rules will “reshape the way organisations across the region approach data privacy”. The British Government has indicated that Britain’s decision to leave the EU will not affect the introduction of the rules.
HOW DOES THIS AFFECT SOUTH AFRICA?
The important thing about the GDPR is that it applies worldwide, including to those South African entities who market goods and services to consumers in the EU. It also applies to the monitoring of the behaviour of persons via such as cookies.
These SA entities are going to have to comply with both the Protection of Personal Information Act (POPIA) and the GDPR. The latter rules were introduced by the EU a year ago and entities have been given 2 years to comply with them.
Those entities who are not doing anything about GDPR yet are unlikely to meet the deadline of May next year. The new Information Regulator in SA has said that POPIA is likely to be introduced at the end of this year or early next year, after which there will be a one year grace period to get up to speed. What this means is that after May next year, those EU companies dealing with SA can generally only do so once POPIA is in place or if the SA company can satisfy their EU partner that they have adequate protections or binding corporate rules in place.
Most will not be ready and run the risk of not being able to trade with their EU partners. South African entities need to check over their contracts with clients so that they know who is responsible for what and be prepared to renegotiate. They should also be ready for greater scrutiny in the future, not only from our information regulator, but from EU clients too – because when they get to grips with GDPR, they will want total confidence in whoever is handling their customers’ data.This will mean having sufficient data protection measures in place plus an up to date Disaster Recovery Plan. They will also have to demonstrate that the business is financially secure.