South African companies should also consider GDPR data impact

28 November 2017 4 min. read

As businesses across Europe scramble to update their operations to comply with the General Data Protection Regulation (GDPR), a new survey from global professional services firm PwC suggests that firms from all over the world, including South Africa, will also have to tighten their data security practices if they want to continue trading with European firms. 

Transforming entire business operations to become reliant on the digital arena has become the logical survival tactic for most companies across the world, in light of rapid technological development and the consequent disruption of industries far and wide. However, with the migration of operations to the online domain comes all its risks and vulnerabilities in the form of hackers with technical knowhow and malicious intent.

These risks have manifested themselves extensively in recent months, primarily in the form of cyber attacks, which are becoming increasingly high-profile and expansive in their impact. The Equifax hack is a prominent example, whereby the personal and financial details of nearly half the population of the US were compromised. 

More recently, Big Four professional services firm Deloitte, which is the largest cyber-security consulting firm in the world, was subject to a cyber attack on its own database, whereby the personal communications of 244,000 Deloitte employees were continuously leaked over a six-month period. The mails included information from high-profile clients all the way up to four departments of the US Government, the United Nations, and some of the world’s biggest multi-nationals. 


The EU recognised these threats last year, when the European Parliament compiled the GDPR, which is a regulatory framework designed for companies that handle large volumes of sensitive personal data. The new regulations include: a broadening of the definition of personal data, stricter rules to obtain valid consent, breach-notification deadlines, as well as the “right to be forgotten,” among several other detailed regulations.

South African companies should also consider GDPR data impact

The fines and penalties have been set to strongly disincentivise violations. Failure to comply with GDPR stipulations invites a fine of 20% of annual turnover, or €20 million (R328 million), whichever is greater.

One key feature of the GDPR, and one which encapsulates a number of South African firms according to Big Four accounting and advisory firm PwC, is that non-EU parties who handle the data of any EU subject, whether citizens or companies, must also comply with the data protection regulations. Upon failure to comply, these firms are liable to face sanctions under GDPR. 

As a result, South Africa has begun drafting the Protection of Personal Information Act (POPIA), which is likely to enter an implementation phase in early 2019, nearly a year after GDPR comes into force in May 2018. The POPIA regulations are reportedly even more of a challenge to comply with, as the definition of “personal information” under the act is even broader than the GDPR in its scope. 

As elucidated by Busisiwe Mathe, the Leader of Risk Assurance in the Cyber and Privacy domains for PwC in South Africa, “The GDPR will impact many South African and other organisations across the African continent, while Compliance with POPIA will be a challenge for many organisations. The POPIA compliance journey will require organisations to consider many features within their organisation and strategic vision.” 

Commenting on how the intersection between GDPR and POPIA will work, Mathe said, “After May next year, EU companies that deal with SA can only do so if POPIA is in place or if the SA companies can satisfy their EU partner that they have adequate rules and policies in place regarding data protection.” Moreover, South African companies dealing with the EU that violate either act will face fines from both, which includes the 4%/€20 million from GDPR, as well as fines of up to R10 million / jail-time for violation of POPIA.