South Africa has the POPI Act (Protection of Personal Information), and Europe’s GDPR (General Data Protection Regulation) Act comes into effect 25 May 2018.
Regulation is long overdue, as compromised consumers have discovered after the various data breaches suffered recently. We’re all hopefully aware of the high profile Facebook data mining debacle, and the Master Deeds breach last year in South Africa that saw 60 million ID numbers being leaked.
At KRS, we’ve been working hard to prepare for the GDPR Act, and have some tips to share for any companies that still need to embrace the new legislation. It’s a big job, involving development teams, DevOps and lawyers to figure out how to convert GDPR legal provisions into tangible actions.
A quick GDPR Overview
Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25 2018. The Act sets new standards for consumer rights regarding their data. GDPR clarifies where responsibility for privacy protection lies with any companies who collect, store, manage, process and analyze any form of Personal Data.
A company who determines the Purpose of the Data is seen as a Controller. A company who determines the means of processing is seen as a Processor.
Responsibility for Privacy protection defined
Responsibilities of a Controller:
1. Implementation of data protection policies.
2. Adherence to code of conduct defined in the GDPR.
3. Adherence to certification process defined in the GDPR.
Responsibilities of a Processor:
1. Processing of personal data by a Processor should always be based on documented instructions from a Controller.
2. A Processor should be able to demonstrate their GDPR compliance in data processing to Controllers and to supervisory bodies.
3. A Processor should not engage with another processor without written approval from the Controller.
4. If a Processor is subject to any special data transfer regulations, it should communicate those regulations to the Controller.
5. People who are accessing personal data from the Processor’s side should commit to ensuring its confidentiality.
6. The Processor should assist the Controller to fulfill the requests from individuals.
7. The Processor should assist the Controller to be in compliance with the GDPR regulations.
8. The Processor should cooperate with the supervisory bodies.
9. Based on the Controller’s choice the Processor should able to delete any stored personal data.
What must you do to prepare for GDPR?
Security is as much about awareness as it is about technology. It is a mindset that puts the customer’s data, and the protection thereof, front and centre in every process. This includes the live servers, test environments, 3rd party access, backups and any extracts of data or off site storage.
Some key considerations:
1. Communicating and educating – By elevating the importance of this topic and addressing it at every level of your organization.
2. Establishing an accountability framework – By fostering a culture of regularly monitoring, reviewing, assessing, and auditing data processing procedures. Minimize retention of stale data, anonymize data used for testing and support, limit access by roles and improve logging of all sensitive data changes.
3. Review policies and align them – Aim to use clear and plain language, make sure policies are transparent, and are easily accessible to all staff.
4. Analyze how clients use personal data – When obtaining consent, have frequent review of forms and documents to make sure consents are freely given, specific, and informed.
5. Manage data transfers wisely – With any transfer of personal data, including intra-group or processor transfers, ensure that you have a legitimate basis for the transfer and take all necessary precautions to ensure adequate data protection.
6. Preparing for security breaches – To ensure that if ever a Data breach occurs, prepare by having clear contingency policies and well-practiced procedures that notify clients quickly and limit damage.
It is obvious that compliance with the GDPR requires a lot of effort initially. There may be need for organizational changes, refactoring of current procedures, adaption of new procedures and policies and staff (re)training.
KRS has made lots of headway on this front and will continue our journey in ensuring Data Privacy for our clients. We are happy to share our learnings! Compliance with the GDPR is likely to evolve after it takes effect as regulators begin scrutinizing relationships and data subjects begin exercising rights. South African data processors will need to be agile in the face of changing requirements and interpretations.