Is Africa ready for GDPR?
Is Africa ready for GDPR?
The protection of data has been the subject of thousands of conversations globally. As more and more businesses digitally transform, how they handle and analyse data is coming under more intense scrutiny. With the force of cybercrime growing by the day, businesses and governments are placing data protection and privacy at the top of their priority list – in an effort to avoid financial loss and maintain steady productivity.
The introduction of the General Data Protection Regulation (GDPR), which takes effect on 25 May 2018, is set to take on a more ambitious approach to data protection.
Although GDPR is designed to strengthen data protection within the European Union (EU), African businesses – and startups – are not entirely ruled out. Be careful of falling into the trap of assuming the regulation does not apply to you.
If GDPR does apply to you, using a cloud service can help you become compliant quickly and easily, minimising the time and resources you would need.
What is GDPR – and who does it apply to?
GDPR is a new regulation that will provide individuals in the EU with greater control over their personal information. It will introduce tighter rules on organisations that handle, collect or analyse personal data, be it a contact number, photo or computer IP address. National regulators will also have increased authority to impose substantial consequences on organisations who do not comply.
The reason why African businesses need to take notice is because the regulation also addresses the export of personal data outside of the EU.
Simply put, if you do – or ever plan to do – business with or process the data of any individual living in the EU, GDPR applies to you, irrespective of your size or where you are.
Why should startups be concerned about GDPR?
As we bring more entrepreneurs, businesses and developers online and into the cloud, they have the opportunity to market their products, apps and solutions internationally.
However, as countries impose tighter regulations on data protection, startups who do not comply will be limited in their ability to scale and operate internationally – or even secure overseas investment.
Without adequate security practices in place, startups will be seen by European countries as a high risk from a data protection perspective - and they won't do business with you.
Not complying with GDPR will limit your ability to have employees in the EU, sell or market your products online or offline in the EU, partner with an EU organisation; or receive funding from an EU-based investor.
GDPR is also set to become the standard benchmark for data protection. Even if you aren't affected by this specific regulation today, you could be affected by a new one tomorrow, as countries continue to ramp up their own data protection laws.
Countries like South Africa, for example, have signed the Protection of Personal Information Act (POPI) into law. Similar to GDPR, businesses and governments will be lawfully responsible for collecting, storing and using personal information. For businesses with ties to the EU, they will need to comply with both POPI and GDPR, or risk facing hefty fines.
The best option for startups who hope to succeed in today's digital age is to start introducing robust data protection practices now.
Making sense of what is expected
There are five best practices that GDPR will expect organisations to adhere to:
- Organisations will not be able to re-use or disclose personal information for purposes that do not link back to its original intended purpose. Organisations are required to be transparent with individuals about how their data will be used, under a lawful basis.
- Organisations will be required to take steps ensuring that personal information is kept secure and backed up through organisational and technical security measures.
- Data must only be kept for as long as it is needed – restricting the storage of personal information.
- Personal data will need to be accurate. In cases where it is not, corrections must be made. Individuals will have the right to update any of their personal information that is incorrect.
- The collection and storage of any data must be kept minimal, collecting only what is adequate and relevant for the intended purpose.
If businesses are to remain relevant in today's market, digital transformation coupled with data protection must exist at the heart of their business models. Cloud services are proving to be revolutionary for businesses aiming to digitally transform their operating systems.
By Louis Otieno, Director of Corporate Affairs for Microsoft 4Afrika.