Cape Town - South African companies doing business with European Union (EU) customers may themselves at odds with new data protection regulations, says a digital communications specialist.
The 'General Data Protection Regulation' policy (GDPR) replaces the EU Data Protection Directive 95/46/EC. And South African businesses that process data on EU citizens are obligated to comply with the new regulations.
“A key element of the new regulations concerns the transfer of customer data outside the EU to jurisdictions where the data protection standards are not at a similar level,” said Alison Treadaway, director of Striata.
The company specialises in digital communication and does business with large South African firms such as Nedbank, Standard Bank and Absa.
In SA, the Personal Protection of Information Act (Popi) obligates a more robust framework for the handing of personal data, but the act is not yet fully implemented.
Legislation gap
READ: Internet trust evaporating - survey
“If South Africa’s Protection of Personal Information Act 3 of 2013 (Popi) had been fully enacted, this would have gone a long way to motivating SA businesses to make the required changes to bring their data protection policies in line within the 12-month grace period,” said Treadaway.
She added that there was a significant gap in terms of what EU regulators required and South African law which has resulted in local firms dragging their heels on compliance with EU regulations.
"Call centres, data centres and business process outsourcers that touch EU customer data will need to ensure they are fully compliant with the GDPR to continue providing services,” Treadaway said.
While Popi has made some efforts to enforce legal protections for personal data, there are some areas where local legislation falls short, Treadaway argued.
“A requirement that is inadequately covered in Popi is the concept of ‘data portability’ which is the right for a data subject to receive his or her data in a “structured, commonly used, machine-readable and interoperable format and the right to transmit those data to another controller”,” she said.
The EU has taken a hard look at how tech companies handle data.
The European Commission recently ordered search giant Google to enforce its "Right to Be Forgotten" regulation and is also investigating the company over anti-competitive behaviour with regard to its online shopping search results.
Despite the impact of the regulations, Treadaway said that full implementation of Popi in SA would go a long way to aligning companies for business in Europe.
“There are many areas of alignment between Popi and the GDPR, which should make it easier for SA businesses working toward Popi compliance to also meet GDPR requirements.”
WATCH this online video on EU data legislation:
- Follow Duncan on Twitter