Businesses in Africa may need to ensure compliance with the new General Data Protection Regulation (GDPR) coming into force in the European Union (EU) by May 25, 2018.
The GDPR is the new legal regime that protects the personal data and privacy of EU citizens with regards to transactions within and outside the EU. It replaces the old 1995 data protection directive and was adopted in April 2016. By virtue of the GDPR, any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
Trade Counselor and Head of Trade and Economic section of the European Union (EU) Delegation to Nigeria & ECOWAS, Filippo Amato, in 2016, put the total value of trade between Nigeria and the EU at 19.9 billion Euros. These transactions will have to rely on personal data of EU citizens one way or the other and thus, African businesses or businesses located in Africa that are involved in EU transactions will need to comply with the GDPR provisions or face stiff penalties.
Which companies does the GDPR affect?
A company that stores or processes personal information about EU citizens within the EU, must comply with the GDPR. This affects both companies with a presence in an EU country and companies who are not present in the EU, but processes personal data of European residents
The GDPR applies to companies storing or processing data outside the EU where the activities relate to offering goods or services to EU citizens whether payment is required or not and the monitoring of behaviour that takes place within the EU.
What constitutes personal data?
According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
How the GDPR affects African businesses
A lot of foreign countries include those in the EU outsource their software development to countries in Africa, where the workforce is getting increasingly skilled in software development. Where the software or app development involves the data of EU citizens or residents , such companies will inevitably be affected by the GDPR. Nigerians resident in the EU use some Nigerian based e-commerce services eg Iroko TV or Konga and payment platforms eg Paystack. These companies who have a customer base in the EU will have to be mindful of compliance as well.
Also multinationals who have EU citizens on their staff or companies involved in trade with EU companies may also need to comply with the GDPR. There are a lot of cross border transactions in Nigeria and some of these businesses use foreign mailing and customer lists to build their brand value .
African companies that do business with other companies in the EU or use and process data of EU residents need to take compliance with the GDPR seriously because any failure to comply could lead to stiff penalties
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million Euros (whichever is greater). This is the maximum fine for infringements like not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
A company can also be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
What to do?
Affected African businesses have till 25 May 2018 to ensure compliance or else face stiff sanctions. The GDPR requires certain companies to employ Data Protection Officers (DPO) to enable compliance.
If you desire to comply with the GDPR and seek further information on how to do so, kindly contact email@example.com
This article was earlier published by Adaora Okoli on LinkedIn