This IT Governance and Legal Compliance series outlines two data privacy laws that are likely to affect your business. Europe's GDPR and South Africa's POPIA.
In case you missed it, South Africa's Protection of Personal Information Act (POPIA) officially commenced on 1 July 2020. All entities that process personal information within South Africa, or of her citizens, have a one-year grace period to comply.
Affected organisations amend their IT governance and compliance policies to accommodate these regulations. As they do, it's apt to explore one other major data protection law that is considered a global benchmark, the GDPR.
Data Protection Legislation Around the World in 2020
In this age of the global village, it's best that you know a thing or two about data privacy laws. Our previous blog, Data Protection Explained, answered the question, "why is data a big deal?"
Data privacy or protection is a branch of data security relating to the proper handling, collection, and safekeeping of data connected to a person's identity for confidentiality and anonymity.
Data privacy is a huge concern for all businesses in the digital age.
High-profile data breaches have created a heightened concern about the ways data can be protected and kept private. Hence the inception of new laws and acts to govern data privacy.
When combined, these three laws provide a well-rounded data privacy framework.
|
The European Union's General Data Protection Regulation (GDPR) |
Focused on creating a "privacy by default" legal framework for the citizens of the entire EU.² |
|
The United States Californian California Consumer Privacy Act (CCPA) |
Aims to create transparency in California's colossal data environment and rights to its consumers.² |
|
South Africa's Protection of Personal Information Act (POPIA) |
Regulates lawful data processing to safeguard the personal information of both natural and juristic persons from harm. |
This series dives into the GDPR and POPIA. We aim to cover the CCPA soon.
The GDPR is widely regarded as the gold standard of data protection laws. It came into effect in May 2018, replacing yet another trailblazing law, the Data Protection Directive of 1995.
In Short:
GDPR gives EU citizens more control over the collection, use and protection of their data. Thus, the law addresses the transfer of personal data outside of the European Union (EU) and the European Economic Area (EEA).
Applies to:
All EU and EEA organisations in member states and any organisations outside of territories that offer goods or services to customers and businesses in the EU and EEA. A.k.a pretty much every business.
What about Brexit? At the time of publishing this blog, the UK government's stance is that Brexit will have no impact on the enforcement of GDPR in the country.
Noteworthy:
The legislation binds organisations to strict rules about "using and securing the personal data they collect from people, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection.3
"Data subjects have the right to request a portable copy of the data collected by a controller in a common format," 4 and the "right to be forgotten", which means that data subjects can have their data erased under certain conditions".
Max Penalties:
Whichever fee is higher between 4% of global annual revenue or €20 million.
GDPR is centred on seven principles for lawful data processing
Processing refers to the "collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data." 5
Data Minimisation
Integrity and Confidentiality (Security)
Accountability
It's wise to include GDPR compliance measures in your IT Governance policies as the legislation has such a far reach. Even if you are not doing direct business with any EU or EEA members now, you could in the future. At that point, you will be obligated to uphold the GDPR.
GDPR has also set the standard for most other data privacy laws. So, it's likely that by complying with this law, you'll invariably be compliant with others.
Looking for guidance or assistance with your IT Governance and legal compliance policies? Speak to us today, your trusted technology advisors.
Next Up in the IT Governance and Legal Compliance for the Global Village Series: Spotlight on the Protection of Personal Information Act (POPIA)
Sources
1 United Nations Conference on Trade and Development | Data Protection and Privacy Legislation Worldwide https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx
2 California Privacy Law (CCPA) | CCPA Compliance With Cookiebot. https://www.cookiebot.com/en/california-privacy-law-ccpa-ccpa-compliance-with-cookiebot/
3 Does the GDPR apply to companies outside of the EU? https://gdpr.eu/companies-outside-of-europe/
4 General Data Protection Regulation https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
5 The Seven Principles https://www.uhi.ac.uk/en/about-uhi/governance/policies-and-regulations/data-protection/the-seven-principles/