Understanding GDPR and POPIA: Key Data Privacy Laws

Spotlight on the General Data Protection Regulation (GDPR)

This IT Governance and Legal Compliance series outlines two data privacy laws that are likely to affect your business. Europe's GDPR and South Africa's POPIA. 

In case you missed it, South Africa's Protection of Personal Information Act (POPIA) officially commenced on 1 July 2020. All entities that process personal information within South Africa, or of her citizens, have a one-year grace period to comply. 

Affected organisations amend their IT governance and compliance policies to accommodate these regulations. As they do, it's apt to explore one other major data protection law that is considered a global benchmark, the GDPR. 

Data Protection Legislation Around the World in 2020

In this age of the global village, it's best that you know a thing or two about data privacy laws. Our previous blog, Data Protection Explained, answered the question, "why is data a big deal?"

Data privacy or protection is a branch of data security relating to the proper handling, collection, and safekeeping of data connected to a person's identity for confidentiality and anonymity.

High-profile data breaches have created a heightened concern about the ways data can be protected and kept private. Hence the inception of new laws and acts to govern data privacy.

Summary of Data Privacy Laws: GDPR, CCPA, and POPIA

When combined, these three laws provide a well-rounded data privacy framework.

This series dives into the GDPR and POPIA. We aim to cover the CCPA soon.

GDPR - General Data Protection Regulation

The GDPR is widely regarded as the gold standard of data protection laws. It came into effect in May 2018, replacing yet another trailblazing law, the Data Protection Directive of 1995.

In Short:

GDPR gives EU citizens more control over the collection, use and protection of their data. Thus, the law addresses the transfer of personal data outside of the European Union (EU) and the European Economic Area (EEA).

Applies to:

All EU and EEA organisations in member states and any organisations outside of territories that offer goods or services to customers and businesses in the EU and EEA. A.k.a pretty much every business.

What about Brexit? At the time of publishing this blog, the UK government's stance is that Brexit will have no impact on the enforcement of GDPR in the country.

Noteworthy:

The legislation binds organisations to strict rules about "using and securing the personal data they collect from people, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection.³

"Data subjects have the right to request a portable copy of the data collected by a controller in a common format," ⁴ and the "right to be forgotten", which means that data subjects can have their data erased under certain conditions".

Max Penalties:

Whichever fee is higher between 4% of global annual revenue or €20 million.

GDPR is centred on seven principles for lawful data processing

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality (security)
7. Accountability

Processing refers to the "collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data." ⁵

A Broad View of GDPR Compliance

Data Minimisation

• Don't collect more information than is absolutely necessary.

Integrity and Confidentiality (Security)

• Implement information security protections that guard against hackers and accidental leaks. In other words, strengthen security to mitigate breaches.
• At a minimum, the GDPR encourages website encryption, pseudonymisation and anonymisation.

Accountability

• Document/keep records of how personal information is handled, and what controls are in place to limit access to the data.
• Regular Data protection and cybersecurity employee awareness training are essential.
• Keeps records of the collection and storage of personal data.
• Organisations with more than 250 employees need to also record the reason for processing personal information, what information is being held, for how long, and how it is processed. They also need to detail their technical security procedures and protocols.

It's wise to include GDPR compliance measures in your IT Governance policies as the legislation has such a far reach. Even if you are not doing direct business with any EU or EEA members now, you could in the future. At that point, you will be obligated to uphold the GDPR.

GDPR has also set the standard for most other data privacy laws. So, it's likely that by complying with this law, you'll invariably be compliant with others.

Next Up in the IT Governance and Legal Compliance for the Global Village Series: Spotlight on the Protection of Personal Information Act (POPIA)

Sources

¹ United Nations Conference on Trade and Development | Data Protection and Privacy Legislation Worldwide https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx

² California Privacy Law (CCPA) | CCPA Compliance With Cookiebot. https://www.cookiebot.com/en/california-privacy-law-ccpa-ccpa-compliance-with-cookiebot/

³ Does the GDPR apply to companies outside of the EU? https://gdpr.eu/companies-outside-of-europe/

⁴ General Data Protection Regulation https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

⁵ The Seven Principles https://www.uhi.ac.uk/en/about-uhi/governance/policies-and-regulations/data-protection/the-seven-principles/