Understanding the General Data Protection Regulation

Johannesburg, 27 February 2017

  • Share

By: Samresh Ramjith, Africa Advisory Cybersecurity Leader, at EY

The Fourth Industrial Revolution continues to disrupt the business landscape, with organisations driving continuous investment in new technologies and business models, all with the aim of remaining relevant and thriving in the dynamic, sometimes volatile, global business environment. Artificial intelligence, robotic process automation and advanced data analytics are among many digital tools that are creating new opportunities for companies. However, with any evolution, there are risks that come with a growing digital footprint.

Regulatory compliance is fast becoming a priority for many organisations across Africa, with the most significant regulation currently impacting organisations globally, being the European Union’s General Data Protection Regulation (GDPR). The GDPR contains mandatory compliance requirements for organisations in order to ensure that the information of data subjects is protected.  

With GDPR coming into effect on the 25th of May 2018, it is critical that organisations understand the applicability and impact of the new regulation to their daily operations. Furthermore, it is imperative that organisations expedite their privacy transformation programmes in order to comply.

Regulatory compliance and data protection, as well as data privacy have come into sharp focus in the latest EY Global Data Analytics Survey. The survey examined the responses of 745 executives from 19 countries, including 40 from South Africa and analysed the legal, compliance and fraud risks, these global companies face and the increasing use of forensic data analytics (FDA) to manage them.

The survey ultimately found that intensifying global regulatory pressures are top of mind for business leaders, with 78% of global executives becoming increasingly concerned about data protection and data privacy compliance.

GDPR was a key component of the survey and in South Africa, 40% of the executives sampled were unfamiliar with the regulation. Thirty-five percent reported that they are implementing programmes towards complying with the GDPR, 18% have no knowledge of the regulation and 8% are still only exploring the GDPR and its applicability to their organisations.

Given the far reaching applicability and impact on organisations across the globe, the survey results are indicative of the slow uptake of the regulation.

The salient points that all organisations and their leaders need to know about this new regulation are:

  1. In essence, the GDPR is an overarching data privacy protection regulation that emanates from the EU to offer EU residents (data subjects) protection of their personal data via one law that ultimately replaces the EU Data Protection Directive.
  2. The GDPR affords data subjects new rights, which places the onus on organisations handling personally identifiable data, to protect the personal data of data subjects through the enforcement of a uniform set of requirements outlined in the regulation.
  3. The GDPR applies to any organisation, regardless of geographic location, that controls and/or processes personally identifiable data of EU residents.
  4. The regulation imposes new obligations on organisations that handle personally identifiable data, whether as controllers, processors, or both, emphasising accountability and requiring greater transparency around the handling of personally identifiable data.
  5. Penalties for non-compliance with the GDPR may result in fines of up to 4% of annual global turnover or €20m, whichever is greater.

Companies should be looking to expedite their privacy programmes with buy-in from board-level and across all levels of their organisation to ensure their readiness for the GDPR. Moreover, organisations should not underestimate the level of effort that will be required to achieve this new regulatory compliance and with that the complexities involved with implementation. Organisations should include specialists in their programmes in meeting the regulatory requirements and enabling a successful transformation journey.


Note to Editors

General Data Protection Regulation (GDPR): Around the world, countries are enacting data protection and privacy regulations that present real compliance challenges for companies. The EU’S GDPR, which becomes effective in May 2018, is complex, applicable to companies globally and has significant potential financial penalties. 

About EY

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.

Twitter: @EY_Africa

Website: www.ey.com/za