By Thilen Pillay, Regional Divisional Director - Risk Advisory Services, RSM South Africa
Preparation for Storm GDPR
Africa has 17 countries in which data protection legislation has been adopted. In addition, the African Union (AU) has adopted the AU Convention on Cybersecurity and Data Protection, which is pending ratification by 15 of the 54 AU members. The data protection legislation adopted by countries in Africa share many principles with the GDPR, but there are some key areas in which they differ. While some jurisdictions require organisations to register with a data protection authority, others may not. Some countries are very prescriptive on cross-border data transfers, while others either have little to no requirements. In South Africa a key distinction between the GDPR and the Protection of Personal Information Act (POPIA) is the definition of a person and by extension what constitutes personal information. POPIA includes juristic persons such as companies in its definition of ‘personal’.
The disparities in data protection legislation on the African continent already prove challenging to multinational organisations with an African presence, and when you add on the requirements of GDPR these challenges can seem quite overwhelming. So then, how is a multinational organisation able to achieve optimal compliance? The answer is the adoption of a higher data protection standard. If a higher standard is applied, taking into consideration the particular country’s legislative requirements, compliance efforts could certainly be streamlined.
Organisations have significantly underestimated the level of time and effort which is required for GDPR compliance. Companies such as non-profit organisations who receive international aid funding, as well as those which serve as outsourced service providers to EU organisations, have invested time and money behind creating data mapping and GDPR readiness assessment templates. However, the reality of the time, tools and investment required to solve the gaps identified from readiness assessments have been grossly underestimated in the road to compliance. Organisations have only recently started to send out GDPR self-assessment questionnaires to their outsourced service providers, such as payroll processors, the responses to which have indicated that the outsourced organisations which they utilise are not GDPR ready in terms of their requirements as processors - which as a result has an adverse affect on the organisation’s ability to comply as controllers.
Organisations should not assume that security technology alone will solve all their privacy compliance requirements. An effective compliance approach must cover, people, technology and business process.
Technology is evolving at a rapid and exciting pace. However, with great technology there should also come great responsibility and accountability. This is why data privacy requirements are only going to increase. This is a good thing, as it helps protect the high volume of our personal information which is in the possession of controllers and processors. Controllers and processors are therefore going to need to work towards increasing their information security risk maturity and ensure that data privacy is always on the agenda at a C-Suite level.