GDPR: General Data Protection Regulation and what it means for Africa Part 1

You’ve likely heard the buzz around the  European Union General Data Protection Regulation (GDPR). That’s because GDPR raises the bar for data privacy protection.  As the May 25, 2018 deadline for GDPR compliance approaches, many people are unsure where to begin. They are looking for the technology, people, and processes that will help them comply in a sustainable manner.

Anyways let me stop getting way ahead of myself, lets start from the ground. what is GDPR?

The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data. Companies that are already in compliance with the Directive must ensure that they’re compliant with the new requirements of the GDPR before it becomes effective on May 25, 2018. Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines.

GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include:

  • Requiring the consent of subjects for data processing
  • Anonymizing collected data to protect privacy
  • Providing data breach notifications
  • Safely handling the transfer of data across borders
  • Requiring certain companies to appoint a data protection officer to oversee GDPR compliance

Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.

What does this mean ?

All organizations, including small to medium-sized companies and large enterprises, must be aware of all GDPR requirements and be prepared to comply by May 2018. By beginning to implement data protection policies and solutions now, companies will be in a much better position to achieve GDPR compliance when it takes effect. For many of these companies, the first step in complying with GDPR is to designate a data protection officer to build a data protection program that meets the GDPR requirements.

The General Data Protection Regulation not only applies to businesses in the EU; all businesses marketing services or goods to EU citizens should be preparing to comply with GDPR as well. By complying with GDPR requirements, businesses will benefit from avoiding costly penalties while improving customer data protection and trust.

What information does the GDPR apply to?

Personal data

the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – e.g. an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organizations collect information about people.

For most organizations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.

Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).

For example, the special categories specifically include genetic data, and bio-metric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing (see Article 10).

Microsoft’s Role in GDPR

Microsoft is committed to helping its commercial customers achieve GDPR compliance. To Microsoft, this is not a new thing. Their industry leadership in data privacy protection has been recognized for over a decade, beginning with the establishment of our Trustworthy Computing principles. Microsoft’s cloud solutions have earned more third-party attestations than any other cloud vendor. For GDPR specifically, they have committed that their technology will be GDPR compliant by May 2018. They were also the first major cloud provider to offer the contractual commitments required by the GDPR to give its customers the assurances they need from Microsoft as their data processor.

If you want to Understand the Impacts of GDPR in Africa subscribe to my blog.

More Coming soon …