Open in app

Sign in

Write

Sign in

What is the GDPR

Media Rocket
Black Ink Advisory

--

The GDPR (General Data Protection Regulations) is Europe’s new framework for data protection laws. It aims to “harmonise” data privacy laws across Europe, as well as to give greater protection and rights to individuals within the EU.

It will require companies covered by the GDPR to be more accountable for their handling of people’s personal information by having data protection policies, data protection impact assessments and relevant documents on how data is processed. Bigger companies may be required to have documentation of why people’s information is being collected and processed, how long it is being kept for and for some companies the appointment of a data protection officer will be mandatory.

When does the new regulations come into force

25 May 2018

Does it apply to me?

The GDPR does not only apply to organisations located within the EU but also to companies located outside its borders.

It is important to note that it is irrelevant whether a company has an establishment in the EU or whether the data-processing activities take place in the EU, the GDPR will apply if any of the factors below are present:

  • offering goods or services to EU citizens, irrespective whether any payment is received;
  • processing or holding information on EU citizens;
  • monitoring the behaviour of EU citizens.

The GDPR’s application is not limited to companies that have a legal entity in the EU, as explained above, but rather it applies to any company with permanent and stable business activities in the EU. This means that companies with a representative in the EU, companies that have a specific website directed at an EU country or companies with a local EU postal address or bank account could be included.

Is my website directed at an EU country

Whilst the exact scope of the GDPR is still to be determined it is suggested that if your website is a unique website on an EU-country top-level domain (so rather than .co.za your website ends with .co.uk), is in a host language or accepts local currency it could fall under the ambit of the GDPR.

What if I don’t comply

Non-compliance can result in fines up to €20-million or 4% of a company’s global turnover, whichever is higher.

Basis compliance

There are many requirements in order to comply with the GDPR, however the primary ones are:

  • There must be informed consent from an individual before you can collect, store or use their personal data;
  • A person whose data you have collected has the right to withdraw their consent and for the data to be deleted;
  • You must ensure you collect accurate information and only so much as is needed;
  • You have specific obligations should the data be breached.

How do I obtain consent

Obtaining consent to collect and use an individual’s personal data is core to the GDPR.

It is required that the consent be clearly and specifically requested by the company in easy to understand way. This means that consent can no longer be obtained by burying the consent in heavy and indigestible legal jargon or by requiring a user to opt out of giving consent. Many companies will have to redraft and present their request for consents in a totally new manner to what they are used to.

Are my privacy policies in order

Privacy policies are required to be easily understandable and to clearly state the purposes and manner of the collection and use of the data. Standard boilerplate policies will no longer be sufficient and companies will have to review them in order to avoid penalties.

Ask yourself:

  • Is it easy to understand?
  • Does it clearly state what data is being collected and for what purpose?
  • Does it allow users to make informed decisions about their data (eg: can they access or amend the data)?
  • Does it accurately reflect how the business operates?

What is Personal Data?

The GDPR regulates the collection and usage of personal data of a living natural person. This means that it does not apply to deceased people or juristic entities (eg: companies).

Individuals protected by the GDPR include employees, customers and suppliers. The type of data includes tracking of online behaviour, recordings via CCTV where someone is identifiable, data held on a cloud database, biometric data and even photographs where someone is identifiable.

Personal data contains two key types of data, “personal data” and “sensitive personal data”.

Personal Data

Personal data broadly means a piece of information that can be used to identify a person, directly or indirectly. This includes information such as person name, residential address or even IP address. The definition stretches as far as to include social media posts and photos.

Sensitive Data

Sensitive data is defined as being in a “special category” of information, this includes trade union membership, religious beliefs, political opinions, race and sexual orientation.

GDPR & PoPI

South African businesses will be required to comply with both laws. Luckily there are many overlaps between the two and compliance with GDPR will result in good steps towards complying with PoPI.

Cookies

The EU is planning to implement the “ePrivacy Regulation” as the counterpart to the GDPR. Although not yet passed it will extend the reach and strength of the GDPR.

The ePrivacy Regulation will regulate all forms of electronic communication, such as websites, email, apps and instant messaging.

  • All materials have been prepared for general information purposes only to permit you to learn more about the subject, our services and amount to no more than opinion. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.

For more information get in touch with Black Ink Advisory

--

--

Media Rocket
Black Ink Advisory

Written by Media Rocket

304 Followers
Editor for

@themediarocket