Any South African company that handles personal data connected to the EU has to comply with the GDPR, and failure to do so will be met with the same major consequences EU organisations face for non-compliance.

This is according to local compliance experts who add that as of 25 May 2018, penalties will begin rolling in for organisations that have not yet taken the necessary steps to ensure they are compliant with this restructured – and considerably more stringent – set of data protection regulations.

But just because the GDPR is an EU regulation, South African organisations are by no means off the hook. On the contrary, experts warn, local companies need to take the GDPR – positioned as one of the most significant changes in data privacy regulation in 20 years – very seriously.

Leilani Smit, compliance professional at Smit Compliance (Pty) Ltd, notes that the GDPR applies to any local organisation that holds or processes data on EU citizens, regardless of the location of its head office. "This includes companies that have employees in the EU, sell or market products or services in the EU, or partner with EU organisations."

Leon van der Merwe, head of digital at customer communication firm PBSA and director of local digital signature and workflow solution SignFlow, adds that any South African entity controlling or processing data relating to EU citizens is affected by the GDPR. "Controlling refers to any organisation that states why and how data is processed, while a processor is any party doing the actual processing of the data, whether based in the EU, or not."

World Wide Worx MD, Arthur Goldstuck, says the effects of the GDPR will be far-reaching due to the fact that the EU is SA's biggest trade partner. "[On top of this], any company that does business with a company that has to comply with GDPR, will also have to comply, to ensure the client is in compliance."

GDPR vs POPI

Fortunately for SA, details around the country's own local version of data protection policy – the Protection of Personal Information (POPI) Act – have been highly publicised since 2013, and many companies will already be familiar – some even largely compliant – with what is expected of them in terms of data protection.

Summing up SA's POPI Act, Michalson's says: "Essentially, the purpose of [POPI] is to protect people from harm by protecting their personal information. To stop their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right."

Smit says, should a local company already be compliant with international legislation such as GDPR, the implementation of policies to comply with POPI "should be a breeze and not require anything other than normal company practices and procedures".

The high price of non-compliance

Another area in which both sets of rules are similar, is in the hefty fines that come with non-compliance.

In a nutshell: breach rules laid out in the POPI Act, and face a R10 million fine and/or a jail sentence; fail to comply with the GDPR's regulations, and be prepared to be slapped with a fine of up to €20 million (about R290 million) – or 4% of annual sales (whichever is greater).

Smit comments: "In South African terms, POPI already poses strict penalties for non-compliance, however as far as our Rand stretches, the GDPR's penalties will definitely cause sleepless nights."

Consumer-centric control

Van der Merwe says it is all about the consumer. "Both GDPR and POPI were ultimately created to protect the consumer's privacy. We are all someone's consumer, and even small businesses owners need to think carefully and logically about areas in their business where personal information is processed or stored, and what vulnerabilities may exist in their processes.

"GDPR is a good thing that could be very bad news for companies, if they fail to provide evidentiary and auditable processes and adequate IT security to protect personal data."

Goldstuck adds that it is not only important, but essential, that South African companies have a global view on data protection. "Something as simple as having a website hosted on an international platform can make a company liable to sanction under GDPR."