The GDPR is widely viewed as being the gold standard of data privacy. This regulation is the most significant shake-up of data protection laws in the last 20 years. The EU General Data Protection Regulation’s (GDPR) commenced on 24 May 2016 and its grace period ended on 24 May 2018. The GDPR automatically universally applies in all EU member states without the need to transpose it into national laws.
The GDPR recognises privacy as a fundamental human right and prohibits organisations from collecting and processing personal data without a lawful exception. GDPR includes eight key topics that need to be covered operationally from three different perspectives: business (what data is processed), IT (where is personal data processed) and third parties (to whom is personal data transferred).
The eight key topics are:
- data inventory
- data subject rights
- data processing records
- personal data breaches
- data protection officer
- data protection impact assessment
The GDPR has two tiers of administrative fine for non-compliance with the GDPR:
- Up to €10 million, or, in the case of an undertaking, 2% of annual global turnover – whichever is greater; or
- Up to €20 million, or, in the case of an undertaking, 4% of annual global turnover – whichever is greater.
GDPR breach fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”. In addition, data subjects have the right to seek compensation for damages.
However, not all GDPR infringements lead to data protection fines which can take a range of other actions, including
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
In the first quarter of 2020, European supervisory authorities issued at least 68 administrative fines totalling nearly €50 million.
The fines for January to March 2020 break down as follows:
Monthly total (€)
2020 cumulative total (€)
Source: (IT Governance UK, 2020)
GDPR is broadly similar to POPIA, however, South African organisations with linkages to the EU will have to comply with both POPIA and GDPR requirements in order to legally hold and process an EU data subjects’ personal information’s and vice versa, even though some elements are similar.
Questions for South African Organisations who should take GDPR into account:
- Does the organisation have a legal entity (e.g. a company) which is registered in Europe?
- Is the organisation established in the EU in some other way?
- Does the organisation offer goods or services to individuals in Europe?
- Does the organisation monitor the behaviour of individuals in the EU while they are in the EU?
If you have answered yes to any of the above, you more than likely need to comply to GDPR in addition to POPIA.
What about the United Kingdom?
The European Commission issued a notice to stakeholders pointing out that UK organisations will be treated in the same way as organisations from another non-EU countries. In other words, EU organisations will no longer be able to freely transfer personal data to the UK. You can read the EU Commission notice at the following link: Notice to stakeholders Brexit preparedness personal data protection.pdf
Profweblearning has a further module on – Understanding GDPR: A Practical Approach.