The EU’s data protection regulations and South African business

On 25 May 2018, the EU’s new General Data Protection Regulation (GDPR) will come into force. While the regulations are aimed at protecting EU citizens and residents, its reach will be global and will impact on certain businesses operating in South Africa.

The GDPR replaces the Data Protection Directive and is far-reaching, imposing additional obligations on organisations processing personal data of individuals in the EU. The protection not only extends to EU-residents, but all individuals who find themselves in the EU. All personal data allowing a person to be identified, either directly or indirectly, is protected. This includes an EU person’s name, identification number, location, or IP-address. It also includes information relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

South African organisations with activities in Europe may not be aware that the GDPR may apply to them too. The Regulation may apply to a South African business if it has a stable presence in the EU, if the business actively offers free or paid-for goods or services to individuals based in the EU, or if the business intends to offer goods or services specifically to individuals in the EU. The GDPR also covers those South African businesses that monitor any behaviour of individuals in the EU, which includes tracking for fraud prevention purposes, location tracking by mobile apps and collection of data via wearable devices.

Under the GDPR, regulators have significant new powers to fine businesses that do not comply with the new rules. Fines of up to €20 million or 4% of the firm’s turnover (whichever is greater) can be imposed for the most serious data protection offences. While regulators can fine a South African business, practically the business would need to have a presence or asset in the EU in order for regulators to be able to enforce the fine.

Norton Rose Fulbright has launched Parker, a chatbot powered by artificial intelligence, which helps businesses in non-EU jurisdictions (including South Africa) to determine whether the GDPR applies to them. It uses natural language processing to answer a wide variety of questions non-EU businesses may have on the GDPR, including whether the GDPR applies to their business and what activities the rules cover.