What is GDPR, and to whom does it apply?

The EU’s General Data Protection Regulation (GDPR) is the culmination of four years of efforts to update data protection for the 21st century, in which people regularly grant permissions to use their personal information for a variety of reasons in exchange for ‘free’ services.

In the UK, GDPR will replace the Data Protection Act of 1998, which was brought into law to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data and introduced hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.

When does it come into effect?

The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It was adopted on 27 April 2016, and becomes enforceable on 25 May 2018, after a two-year transition period.

What are the laws on data protection

The Data Protection Act specifies that companies should have protection in place for customers’ personal data.

There are different types of data that should be protected.

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Consequences and fines for a data security breach

There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are substantial and a good reason for companies to ensure compliance with GDPR.

 What is the definition of personal data, and how long may you keep personal data?

Personal data are any anonymous data that can be double checked to identify a specific individual (e.g. fingerprints, DNA, or information such as Credit Card details, Home Address’, Phone Numbers etc.)

If the data is captured for direct marketing, part of this justification could be that brands should be allowed to store the data for as long as the individual can be considered a customer.

WhatsApp is going to raise the age limit to 18, in South Africa

WhatsApp is likely to raise the minimum age to use the service in South Africa to 18 years. It will make the change in about 18 months’ time, before the end of the grace period for organisations to be in full compliance with the Protection of Personal Information (POPI) Act.

GDPR and South African businesses / POPI Act

POPI is largely based on the European Union Data Protection Directive (“EU Directive”) and has a Commonwealth influence. While many South African businesses are already in the process of putting systems in place to ensure compliance with POPI, they should not neglect to take into consideration whether they must also comply with the General Data Protection Regulation (“GDPR”)

South African companies are urged to take steps to ensure compliance not only with POPI but also with the GDPR, where applicable, to avoid heavy fines.