Tag: GDPR

It’s comply or die for SA’s SMEs

By Tracy Bolton, director: General Business at SAP Africa

On 25 May this year, a new piece of legislation came into effect in Europe that could have severe consequences for non-compliant South African businesses. The General Data Protection Regulation – or GDPR for short – is a regulation under European Union law that aims to give control over personal data back to EU citizens.

The regulation applies to any organisation that collects or processes data from EU citizens, even when that citizen or organisation is based outside the EU. The European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life”. This includes names, home addresses, photos, email addresses, bank details, social media posts, medical information, or even a computer’s IP address.

The fines for non-compliance are severe and could spell the end of a business practically overnight: the maximum fine is as much as €20-million, or nearly R300-million. What’s more, the regulation is far-reaching: any company with an EU citizen among its workforce, or a customer based in the EU, or even if only one of the subscribers to a company newsletter is based in the EU, that company can be held liable under GDPR. Few if any mid-sized South African firms could afford such a steep sanction, and legacy issues compound problems around compliance, increasing their risk and potential liability.

In response, technology firms are taking unprecedented steps to ensure they and their customers remain within the confines of the new regulation, especially considering the volume of trade and collaboration between African countries and their European counterparts.

Legacy processes add complexity to compliance
Most mid-sized firms have deliberately or inadvertently built up internal siloes related to how customer, business and other operational data is stored. For example, in a typical retailer’s marketing department, the data storage systems that processes newsletter subscriptions via email may be entirely removed from and non-integrated to the WhatsApp number where much of the customer communication takes place. This means a customer that unsubscribes to a newsletter via WhatsApp may still receive the newsletter until such a time as the retailer can integrate the two sets of data.

As GDPR comes into effect, companies will not only stand liable for fines should the above scenario play out, but they need to be able to provide customers with complete clarity on how their data is stored and managed at any point in time. Any costs incurred in the process of showing how customer data is stored is also for the company’s own account, which adds not only complexity to standard business processes but also potentially additional costs.
Considering the prevailing trust deficit between consumers and brands, the potential of being exposed for treating confidential customer data poorly is immense. Once trust is breached, affected customers are unlikely to engage with the brand again, and will leave a searchable and public trail of comments on social media for all to see. The recent case of Facebook – which now faces a fine of as much as $2-trillion – has brought this to the forefront of consumer consciousness, but other examples of poor customer data management abound.

On the basis of consent
For South African businesses, however, new technology tools could play an invaluable role in mitigating risks associated with GDPR and its South African counterpart, POPI. A recent investment by SAP into Consent is simplifying the business processes associates with creating trusted digital experiences within the limitations of GDPR and POPI compliance.

Part of the SAP Hybris suite of applications, Consent enables SMEs to centrally manage customer preferences and consent settings throughout their full lifecycle, while putting them in control of their own data. Consent enables companies to be transparent, gain loyal customers and protect their business from costly fines as well as potentially disruptive business processes related to proving to customers how their data is being stored and managed.
In line with modern business demands, Consent is also provided in the cloud, making it quick to implement and easy to prove ROI. Every time a policy changes, customers can receive an automated notification that they actively accept, with a record of such forms of consent stored centrally to allow SMEs to quickly and accurately prove responsible customer data management.

Whether you run an online retailer with customers around the world, or a news website where a European citizen may occasionally offer a comment on an article, GDPR holds inherent risks to your business. But with the correct technology tool, a potential R300m liability can be transformed into a competitive business advantage that furthers the cause of trusted and trustworthy digital customer experiences.
Seems an easy choice, no?

By Harry Pettit for MailOnline 

An ’embarrassing’ leak shows the European Union has fallen short of its own data protection laws.

The European Commission’s website has published 700 records, including the names, addresses and mobile numbers of conference attendees, according to a report.

Officials in Brussels admitted the authority that designed the rules is not itself compliant with the General Data Protection Regulation (GDPR).

The Commission has previously warned that those who breach these rules, which came into force last week, could face millions in fines.

Following the leak, a spokesperson said the authority was exempt from GDPR laws for ‘legal reasons’.

Officials in Brussels will follow a similar set of new laws that ‘mirror’ those laid out in GDPR.

These rules will not enter force until autumn, according to the Telegraph.

The spokesperson added that the Commission is ‘taking and will continue to take all the necessary steps to comply’.

GDPR aims to strengthen and unify data protection for all individuals within the EU, which means cracking down on how companies use and sell user data.

Under GDPR, companies are required to report data breaches within 72 hours, as well as allow customers to export their data and delete it.

Companies scrambled to comply with the rules before they were ratified on May 25 with the Commission threatening hefty fines for those who breached them.

The bureaucracy’s website exposed 700 records that include people’s names, professions, and even some postcodes and addresses.

Officials in Brussels admitted the authority that designed the rules is not itself compliant with the General Data Protection Regulation. GDPR aims to strengthen and unify data protection for all individuals within the EU.

The records, some of which featured the private information of Britons, were collected during EU meetings and conferences and stored on data spreadsheets.

Tech website Indivigital found the documents are among thousands hosted by the website Europa.eu that are freely accessible online.

Many of them could be found by simply searching for the document on Google.

This leak would constitute a breach of GDPR rules were the blunder committed by other organisations or businesses.

What is GDPR?

The General Data Protection Regulation is an EU-wide law that cam into force on May 25 2018.

It gives greater power to regulators to penalise companies who mishandle personal data or are not transparent about how their business uses it.

For consumers, it brings new powers that require firms to obtain clear consent from users before processing their data.

It also grants users a right to easily access the data collected from them and transparency on how it is being used.

Everyday users have to do very little to comply with GDPR – it’s more targeted at big online businesses.

Under the new rules, any company that controls or processes the data of EU citizens must adhere to the GDPR guidelines.

This ends territorial-based accountability used by some firms not based in the EU to previously avoid sanction.

The law also states that notification of a data breach must occur within 72 hours of being first discovered, increasing transparency around leaks.

The weight of fines able to be issued has also increased under GDPR.

Regulators will be able to issue penalties equivalent of up to four per cent of annual global turnover or 20 million euro (£17.5 million) – whichever is greater.

For tech giants such as Google and Facebook, this could mean the risk of fines running into the hundreds of millions.

Fines for such a breach can reach up to £17.5 million ($23 million) or four per cent of global turnover – whichever is largest.

Jon Baines, a data protection expert at law firm Mishcon de Reya, described the ‘irony’ of the EU’s admission.

‘Although the information disclosed here does not appear to be particularly sensitive, it does raise questions about the general level of compliance, and whether any further inadvertent disclosures have been made,’ he told the Telegraph.

Steve Gailey, security expert at database security firm Exabeam, added that the exposure ‘is embarrassing for the EU, coming hot on the heels of GDPR’.

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top