Many South African businesses have now heard of the Protection of Personal Information Act (or POPI), and some have even spent time and money implementing their policies to prepare for their new responsibilities in terms of it. Businesses have realized that compliance with this new local data protection regime brings not only a good reputation with the regulators, but also with your customers. But in the face of this positive incorporation of this new South African law, I dare say that many will miss their objective if they are not aware that EU and US data protection laws may simultaneously apply to their operations.
Simply put, if a South African entity processes the personal information of an EU or US resident (even in South Africa), they must adhere to the respective EU or US laws on data protection (in addition to POPI). The EU and US data protection laws are more stringent, laborious and time-consuming than POPI, and a failure to adhere to them when required, can lead to enormous fines. The silver lining is that if you have yet to prepare for POPI, it might be smarter to rather operate by the more stringent EU and US standards, as they will automatically satisfy the standards required for South Africa, whilst simultaneously assuring your foreign customers.
Being compliant with data protection laws, both South African or foreign, is most efficiently done if implemented either before the organization even starts processing personal information, or done in one concerted effort to established operations (as opposed to piecemeal patching of problems). The updated EU data protection laws – the General Data Protection Regulation (GDPR) – is already in force but will become applicable in May 2018. The most prominent US system, Privacy Shield, is an interim arrangement where the US demands certain processing standards in order to process a data subject’s personal information in or through US territory.
Whilst POPI does actually contain many provisions that would satisfy many of the demands of its foreign counterparts, the foreign regimes implement three particular additional obligations on processors which would have a substantial practical effect on South African businesses who trigger the law:
Placing short time limits on very large demands:
As compared to POPI’s open-ended response requirements if personal information is breached, the GDPR requires a 72 hour response time, accompanied by a very detailed report on exactly what was breached and how. This is extremely difficult for large operations whose information is stored across the globe.
Requiring comprehensive data mapping:
Whilst POPI does place some responsibility on relevant parties to understand where their data is stored, the GDPR and US systems both require extensive data-mapping, detailing the exact location, format and function of every single piece of personal information. This is an enormous exercise if not designed into a company’s data processing structures from the start.
Regular engagement with highly skilled regulators:
POPI has had to rely on some elements of self-regulation and self-reporting due to its lack of enforcement / regulator skills and resources. However, engaging in the GDPR or US systems will require regular and prescribed engagement with various, highly-skilled and motivated data authorities. These engagements can be extremely difficult if a company’s data processing systems are not engineered to allow for constant probing or interference to adhere to regulator engagement.
Notwithstanding the rather intimidating and thorough EU and US regimes’ possible application to local companies, one glaring practical hurdle for these foreign regulators is trying to enforce its foreign sanctions on infringing South African companies who have no connection nor assets under EU or US control. In this case, the foreign regulators would have to use inter-government co-operation to attempt to pressure the SA regulators in assisting them under international treaties and co-operation instruments; neither a simple nor attractive process for them.
Ignoring the enforceability conundrum for a second, adhering to the GDPR and US systems and these three particular EU and US demands above, requires substantial resources and time to be implemented by a company in South Africa. But at least when they are accommodated for, your company can feel assured that it is satisfying both local and foreign law. It is seemingly, therefore, a case of eating your vegetables now and reaping the international markets later.