GDPR is coming: lessons from the South

On 25 May 2018, the General Data Protection Regulation (GDPR) comes into force. Thereafter it will apply to those of us around the world doing business with customers in the European Union. As a region, the EU is the third largest global trading partner of South Africa’s, so we’re certainly paying attention. 

It is worth saying that in principle it is essential that data protection laws move with the times, especially in a digital, cross-border world where your personal data is stored in the cloud, potentially anywhere around the globe, even though you might be dealing with a local company. I, as much as anyone, am annoyed by relentless unsolicited marketing calls and direct mail. And we’ve seen enough data breaches recently to know that they are a very real threat, and that companies should be obliged to report them speedily to minimise their impact. 

The devil is in the detail, however, and the burden on small and medium-sized businesses – ostensibly the lifeblood of economies that want to grow – is potentially crippling. According to the World Bank, formal SMEs contribute up to 60% of total employment and up to 40% of national income (GDP) in emerging countries. In South Africa, SMEs added 36% of the GDP in 2017, and the government has pegged its hopes on this sector contributing 9 out of 10 new jobs by 2030.

So, what’s the problem?

Well, in South Africa we are also planning for the enforcement of our own local data protection law, the Protection of Personal Information Act, affectionately known as POPI. And to ensure compliance, corporate South Africa is starting to get its ducks in order. However, it seems what this roughly translates into is the large corporates (with seemingly endless manpower and budgets) pushing their compliance protocols onto their supply chain with an instruction that they must implement the same or be registered as non-compliant. One has to ask whether the, typically SME, supplier can realistically and financially replicate the security protocols of their larger clients?  

And then along comes the double whammy. Enter large customer number two, with a similar volume of compliance protocols, except they are only similar, not identical to the first customer’s protocols. To illustrate, let’s assume large customer number one insists on security IDs for your staff to provide access control to your building, but large customer two insists on biometric security. Are you really expected to put both in place to be compliant with each customer? And then expect your staff to actually jump through these hoops just to enter the building? 

I am currently reviewing a number of 40-pages-plus contracts to ensure POPI compliance from various of our blue-chip customers and can confirm that, to ensure compliance across the board, it’s not entirely implausible that, for instance, we may indeed need fingerprint and retinal scanners to be installed at our offices to meet specific prescribed access control requirements. Or for our employees and consultants to never be able to take their laptops home with them – and if they were to, they would have to be transported by a security company. I’m not sure what these requirements would mean for access control and other compliance in employee homes, nor for smartphones, which are typically owned by employees and have full access, thanks to the cloud, to most information available via a laptop.  

This sounds ridiculous, but it is not impossible based on how POPI is being implemented on the ground, and the fact that as a business, we simply can’t walk away from our largest clients. Nor can we risk non-compliance, where the penalties would be a breaking point for SMEs. The fine for contravening POPI is R10 million (around GBP600,000), and maybe we have it light when you consider the fines for GDPR contravention is EUR20 million (around GBP18 million) or 4% of global turnover. Ouch! I don’t know that many SMEs that could handle that!  

Expense and practicality aside, these requirements also fly in the face of modern working practices, which enable collaboration, reduce distance and the need for traveling time and costs. I am of course referring to new technologies coming into and changing our daily work environment such as video conferencing, screen and machine sharing across the web, and being able to pull the best team together, from anywhere in the world, to work on specific projects. These are all exactly the sort of benefits nimble SMEs and independent contractors offer to big corporates and yet they will be effectively outlawed by the corporate, “belt and braces”, approach to implementation of this legislation.  

So, while I agree with the need for data security, I feel like the legislative approach is one step forward and two steps back, and that we have erred too far on the side of protecting individual data, over enabling the building of our digital futures. Perhaps we need a bit more common sense and forward-looking thinking when tackling these challenges. GDPR is coming, be prepared for the unintended consequences of compliance!

As published in AccountinWeb - 8th May 2018

https://www.accountingweb.co.uk/community/blogs/kevin-philips/gdpr-is-coming-lessons-from-the-south