The regulations are aimed at personal data protection and privacy for all individuals within the EU – but also addresses the export of personal data outside the EU. The aim of the legislation is to give citizens more control over their personal data.
The rules also ease things for international businesses in the EU, because data regulations are now uniform across the economic zone.
The regulations force companies to use the highest possible privacy settings by default. Data may not be made public without explicit consent from the user. No personal data may be processed unless it is done under the specifications of the regulations or if the data controller has received explicit, opt-in consent from the owner of the data.
Individuals have the right to revoke their permission at any time.
1/ It is a bit ironic that GDPR, a regulation to protect our privacy, has resulted in the greatest deluge of spam into my inbox that i can recall— Fred Wilson (@fredwilson) May 24, 2018
The new regulations come into effect today (25 May) and companies have one month to comply or face penalties of up to €20 million – nearly R300 million – or 4% of their turnover, according to Era Gunning, director of Banking and Finance at ENSAfrica. In terms of the regulations companies are obliged to conduct data protection impact assessment where data processing is likely to result in high risks for the rights and freedoms of individuals, says Gunning.
Companies must keep evidence or documentation of having done such assessments and mitigate data breach risks. Individuals also have the right to access data accumulated by companies and can ask that their data be transferred to another service provider or company.
South Africa has similar legislation called the Protection of Personal Information (POPI) Act parts of which came into effect in 2014 and will be controlled by the Information Regulator, a statutory body which is in the process of being created to enforce the Act.