‘How Nigerian firms can comply with EU data privacy laws’

The European Union’s General Data Protection Regulation (GDPR), comes into force on May 25. African businesses that collect, process, or store personal data about European citizens and residents will need to comply even if they don’t have a direct presence on the continent; even more so if they are Small & Medium Businesses (SMEs).

The GDPR sets out the minimum requirements for the treatment of all personal data, which it defined as any data identifying or relating to an individual, including things like physical appearance, biometric data, an individual’s record on a customer relationship management system, or even something as simple as website tracking data collected via cookies.

Checks showed that failure of businesses in the region that collect, store and process personal data for EU citizens for the provision of goods and services risk €20million fine if they failed to comply with the new GDPR.

However, the Executive Vice President, Africa & Middle East, Sage, Pieter Bensch, listed six measures organisations and firms can take to avoid any embarrassment.

These measures, according to him, include getting informed; doing an audit, review of consent mechanisms; refreshing privacy policies and contracts; training of extended workforce and appointing a data protection officer.

Bensch explained that the first step towards complying with the GDPR is to understand the new demands the regulation places on how business collects, manages and stores the personal data of European citizens and residents. “There is a wealth of information available online; a good starting point is the EU GDPR Portal,” he stated.

He revealed that many law firms and IT consulting groups in Africa have also been studying the GDPR. He said they will be able advise on the practical aspects of compliance as well as how the GDRP will interact with the data privacy and protection laws and regulations in place in specific countries, like the Protection of Personal Information Act (POPI) in South Africa.

According to him, the GDPR is an opportunity to evaluate why organisations collect and store personal data, as well as the data already in databases. “You will need to know this so that you can explain to European individuals which data of theirs you are collecting as well as how you use it. If you find that you are gathering data for which you have no real business need, delete it. This will help you reduce your exposure to risk, as well as show a commitment to responsible usage of your customers’ data.”

Bensch said the EU data protection legislation has always required that customers must give specific and informed consent to organisations that gather their data.

He noted that organisations will need to update their privacy notices to provide the additional information required by the GDPR, and may well need to relook the portions of any contracts with EU residents and citizens that deal with their data rights.

He advised companies to ensure their employees and partners are aware of the GDPR and secure training to prepare them. “Remember the GDPR makes you responsible for third parties who process personal data for you.”