Lifting the veil on the EU data protection law

Concerns over the privacy of data have soared in the recent past with the scandal affecting Facebook over data acquired and used by Cambridge Analytica. This is a pointer to the fact that we cannot over-emphasise the importance of data privacy. As organisations come to the realisation that data wields significant power in business, there is more public outcry against the irresponsible use of such power. Data strategy and policy is therefore a business imperative for business leaders today.

Regulators in the European Union (EU) have put together the General Data Protection Regulation (GDPR) regulation which will have global implications to business, as many organisations work with (or are looking to work with) organisations that are in the EU or individuals that are EU citizens or residents. The GDPR came to effect on 25 May 2018. This regulation has replaced an earlier regulation called the Data Protection Directive that had been adopted in 1995. The regulation seeks to protect the fundamental rights and freedoms of natural persons and in particular the right to the protection of personal data.

According to the regulation, personal data is “any information relating to an identified or identifiable natural person”. It includes, but is not limited to names, bank account information, address, medical records, personal email addresses, credit card information, photos, videos, usernames and passwords. The rights that the natural person has over their personal data include, among others, the right to: Access personal data, be asked for consent to process their personal data and the right to erasure — popularly known as the right to be forgotten — a right established by article 17 of the regulation which says, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”.

The regulation developed by the European Parliament and Council on 14 April 2016 has the primary role to harmonise data privacy laws across Europe. Most importantly, applying to the processing of personal data of data subjects (an individual whom certain data is about) by an organisation with European presence even if the processing is done outside the EU, and the processing of the personal data of an EU resident or citizen by an organisation outside the EU as long as the objective of such processing is selling to them or monitoring their behaviour within the EU. Some organisations in other markets may survive without coming under the regulation. However, from the regulation’s definition of the scope, its tentacles do stretch over the boundaries of the EU and touch the rest of the world.

The consequences of non-compliance are very severe, an organisation found guilty of breaking the regulation could incur fines of up to 20 million euros or four per cent of their total worldwide turnover of the preceding financial year, whichever is higher. A bigger blow, is the loss of trust among the organisation’s customers and hence irreparable reputational damage.

For an organisation operating in Africa, it is important to avoid dismissing this regulation on the grounds of jurisdiction. The interconnected nature of the business world today indicates that in certain circumstances, this regulation will also affect our market. Organisations should therefore make necessary steps to examine their data privacy policy and put measures in place to protect, control and monitor the usage and storage of personal data.

READ: Kenya's move to enact data privacy legislation timely

Predominantly, proper data privacy measures present two opportunities for the organisation: being more competitive in building customer trust and being more agile in deriving insights from data. One, customers are increasingly becoming more aware of their rights in regards to data privacy. Therefore, demonstrating protection of customer data can yield a competitive advantage resulting from increased customer trust in the organisation’s ability to protect their data. Two, an organisation can leverage the power of advanced analytics simply because being compliant to GDPR demands for a comprehensive and robust data management policy, which will ultimately ensure that data is of good quality- that is, it is accurate, consistent, complete, valid and timely. Good quality data can quickly yield precious business insights and hence drive growth.

The call is to urgently evaluate business models and data strategies to move towards effective data privacy policies. The lasting solution to GDPR compliance and bridging the customer trust gap is to formulate a strong data strategy and implement a working data management policy which will ensure that among other things, data privacy is upheld and hence that customers’ rights over their personal data are protected. It must be noted that GDPR compliance will not be achieved simply by running a pro-privacy campaign throughout the organisation for a few months.

KEVIN MUGWERU, Associate in data and analytics with KPMG Advisory Services Limited, [email protected]. The views and opinions are those of the author and do not necessarily represent the views and opinions of KPMG.