The answer is yes! Under the GDPR the focus shifted to the actual presence of the data subject, as opposed to the location where personal data is processed. This means that the GDPR applies to the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the EU or not. Importantly, it also applies to a controller or processor not established in the EU, which offers goods or services to such data subjects in the EU (irrespective of whether a payment is required), or which monitors the behaviour of the data subjects in the EU. If your company does any of this, you may very well need to comply.
A quick overview of the key concepts: Data subject means the identified or identifiable natural person to whom the personal data relates. Personal data means any information that relates to the data subject, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person. The controller determines the purpose of and means for the processing of personal data and the processor processes personal data on behalf of the controller. Processing has a very wide definition and essentially means any operation or activity or set of operations concerning personal data, whether by automated means or otherwise (including for example collection, receipt, recording, storage, use, making available in any form, merging etc.)
Whilst the controller is responsible for compliance with the data protection principles and needs to demonstrate such compliance, the responsibility which is imposed on a data processor has increased. Processors now have specific responsibilities, including to comply and monitor their compliance with technical and organisation measures. Processors cannot use sub-processors without the controller’s consent. The GDPR requires that processing by a processor is governed by a binding contract between the controller and the processor. This is commonly referred to as a data processing agreement.
As is likely known to all, the Protection of Personal Information Act (Act 4 of 2013), commonly referred to as "POPI" or "POPIA", has not come into full force and effect as yet. Only the definitions section and those sections aimed at establishing the Regulator and promulgating regulations, have been enacted to date. A commencement date for the balance of the Act and accordingly the obligations under POPI, has not yet been announced. The Regulator has however since been established. It is anticipated that a commencement date will be announced after the Regulator's office is fully established and the final regulations have been promulgated. This is likely to be towards the end of 2018 but remains uncertain. Organisations will have 12 months from the commencement date of the entire Act to comply with POPI.
There are differences between the GDPR and POPI: the GDPR does for example not protect data subjects who are legal persons, and it introduces concepts such as pseudonymisation, the right to be forgotten and data portability. There are many similarities - both require the implementation of appropriate technical and organisational measures to ensure a level of security which is appropriate to the risks represented by the processing and the nature of the personal data. In the case of the GDPR, this obligation vests with both the controller and the processor. Under POPI it is reserved for the responsible party (our version of the controller). Both impose restrictions on the transfer of personal information across borders to third party countries. Both introduce a right of compensation (i.e. a damage claim) for the data subject in certain instances. Non-compliance under the GDPR does not lead to criminal offences, but serious violations could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater). Under POPI a responsible party may be imprisoned for a maximum of 10 years and/or fined a maximum of ZAR10 million.
Because of the significant trade relations between SA and the EU and of course the global reach, amendments will most likely be made to POPI to bring it in line with the GDPR. As a general rule and best measure South African companies are already getting ready for POPI compliance. South African companies who process the personal data of EU data subjects should be complying with the GDPR already.
If your company hasn’t done so already, you may want to speak to us about GDPR and POPI compliance.