GDPR applicability to South African businesses – not just for the EU after all

Businesses operating in South Africa are currently facing the imminent implementation of the Protection of Personal Information Act 4 of 2013 (POPI); however there is much debate as to whether businesses need to also comply with the EU’s counterpart to POPI, the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018.

GDPR is clearly not South African law but it governs the manner in which businesses collect, process and store personal data that could lead to the identification of an individual who is resident in the EU or is a citizen of any member country of the EU, including the UK, regardless of his/her country of residence at any given time. Such individuals have the right to know how, what, when, where and why their personal data is being processed.

Accordingly, GDPR will apply to businesses in South Africa that:

  • Process or control personal data of a citizen or temporary resident of an EU member state;
  • Have employees based in an EU member state;
  • Employ EU expatriates in South Africa;
  • Partner with an EU business that processes personal data of those individuals who are afforded protection; or
  • Process personal data pertaining to an EU citizen such as monitoring user’s behaviour via their website through the use of cookies.

Should a business process or control personal data in any of the above circumstances, the business must take steps to ensure compliance with GDPR, by:

  • Conducting a comprehensive due diligence of its business in order to ascertain how, why, where, when and what personal data of individuals is processed;
  • Develop a strategic plan as to the measures to be taken to ensure compliance;
  • Update its current website terms and conditions and privacy policy;
  • Draft a GDPR policy

If GDPR is applicable to a business, one must determine whether a Data Protection Officer (DPO) needs to be appointed within the organisation. GDPR provides that if GDPR is applicable to the business, it may be compulsory for the business to appoint a DPO if (i) the processing is carried out by a public authority; (ii) the business’s core operations include the processing of data through mass systematic and regular processing; or (iii) it processes sensitive data of a data subject on a large scale.

Aside from the high non-compliance penalties (€20 million or a fine up to 4% of the business’s global revenues (whichever is the greater)), the main reason South African businesses need to comply with GDPR is because the EU is one of South Africa’s largest trading partners and EU businesses are unable to trade with South African businesses unless they comply with the requirements of GDPR.

With globalisation and the ease of cross border transactions, it is essential that South African businesses constantly ensure that they have a global view on data protection in order to ensure compliance and avoid penalties.

(1) Processor is any party doing the actual processing of the data, whether based in the EU or not
(2) Controller refers to any organisation that dictates why and how the data is processed