• The European Union's General Data Protection Regulations (GDPR) come into force today.
  • Organisations are taking no chances, because the penalties are hefty.
  • South Africa's own Information Regulator does not exist yet.


If you are wondering why your inbox is suddenly full of notices from companies about a change in their privacy policy, it is because of the implementation of the European Union’s new General Data Protection Regulations (GDPR).

The regulations are aimed at personal data protection and privacy for all individuals within the EU – but also addresses the export of personal data outside the EU. The aim of the legislation is to give citizens more control over their personal data.

The rules also ease things for international businesses in the EU, because data regulations are now uniform across the economic zone.

See also: EU privacy watchdog: Big tech firms are 'blackmailing' users into agreeing with their GDPR data terms

The regulations force companies to use the highest possible privacy settings by default. Data may not be made public without explicit consent from the user. No personal data may be processed unless it is done under the specifications of the regulations or if the data controller has received explicit, opt-in consent from the owner of the data.

Individuals have the right to revoke their permission at any time.

The new regulations come into effect today (25 May) and companies have one month to comply or face penalties of up to €20 million – nearly R300 million – or 4% of their turnover, according to Era Gunning, director of Banking and Finance at ENSAfrica. In terms of the regulations companies are obliged to conduct data protection impact assessment where data processing is likely to result in high risks for the rights and freedoms of individuals, says Gunning.

Companies must keep evidence or documentation of having done such assessments and mitigate data breach risks. Individuals also have the right to access data accumulated by companies and can ask that their data be transferred to another service provider or company.

South Africa has similar legislation called the Protection of Personal Information (POPI) Act parts of which came into effect in 2014 and will be controlled by the Information Regulator, a statutory body which is in the process of being created to enforce the Act.


Receive a single WhatsApp message every morning with all our latest news: Sign up here.

See also: