#SocialMediaTuesday: Have you updated your website's privacy policy?
You may have noticed a few emails in your inbox titled 'updated privacy policy'. In this edition of #SocialMediaTuesday, our Social Media Law Expert unpacks the General Data Protection Regulation further.
Listen to today's #SocialMediaTuesday topic below, or read the details under the podcast.
More than a few people were complaining about the dozens of emails that they received last week informing them that international companies were updating their privacy policies and asking them to verify information due to the General Data Protection Regulation (GDPR) taking effect in the European Union.
This is a very comprehensive legislative instrument which applies to the personal data of all European Union citizens and has far-reaching implications for everyone that processes their data. The legislation does not often apply to countries or companies that are not based in the place where the law is in force, however with the GDPR, any company that offers goods and services to EU citizens (or monitors their activity through applications) will have to be compliant with the Regulation.
The requirements for compliance with the GDPR are quite onerous and detailed. It is also expensive to implement the necessary systems. It is more challenging in South Africa as we do not have current data protection legislation in place and so companies do not have a sophisticated culture of data protection compliance. Although the Protection of Personal Information Act (POPI) has been passed, it is not fully operational, and compliance is not yet necessary.
Unfortunately, non-compliance with data protection provisions can lead to nasty fines regarding the GDPR. The protection of personal data has become increasingly important with the development of the digital age and online activity, and data breaches do occur. When an EU citizen’s data is compromised, they may report it to the EU authorities who would investigate and possibly fine the South African company in euros. The initial fine could be in the region of €10-million (over R144-million), which would cripple most companies.
The issue of enforcement of the GDPR in South Africa is up for debate as one may ask how the fine would be collected, but even receiving a notice of a fine of €10-million in the post would be terrifying for any SA company. If you think your company may need to comply with the GDPR, then you must take steps without delay to start compliance processes.
Have you updated your organisation's privacy policy as yet?
Verlie Oosthuizen - Shepstone & Wylie Social Media Law Department