As the compliance date of 25 May 2018 draws near, have you considered whether or not your business needs to align with the General Data Protection Legislation?
As the GDPR is golden standard for data protection legislation globally, POPIA compliance may not be enough, depending on your data handling commitments as an organisation. Two main groups will be affected by GDPR: ‘controllers’ of data, and ‘processors’ of data. Controllers of data are those who state how and why personal data is processed. These include online businesses, charities and even the government – basically any entity that collects any element of personal data. Processors of data are those entities who actually process the data, such as IT companies. According to the GDPR legislation, even if controllers and processors are not based in the European Union, GDPR compliance is still mandatory, as the data they are collecting and/or processing belongs to EU residents.
1. Is your business established in the European Union?
This legislature includes online retailers. For instance, if your e-commerce site contains pricing in Euros, or redirects from .eu to . co.za websites, this counts as offering goods and services in EU.
These individuals do not necessarily have to be EU citizens – it applies to any and all residents of the EU.
4. Is your organisation a processor for a controller who must comply to the GDPR?
It is the onus of the controller to ensure that their data processor adheres to regulations, whilst processors themselves must ensure that they comply to the legislation that determines how they record their processing activity. If a processor is involved in any sort of data breach, they will be liable under GDPR legislation.
