We`re just sending through your details

Please give us a few moments whilst we get your account ready.

OKAY

When Do South African Organisations Have To Comply With GDPR?

When Do South African Organisations Have To Comply With GDPR?

posted in Backup & Recovery ● 19 Oct 2017

The General Data Protection Regulation, is a piece of legislation that was approved and put in place by the European Parliament in April 2016. As European Law, it will fully take effect after a 2-year transition ending May 25th, 2018; it will impact not only the UK and the member states of the EU but countries that are trading with the EU.

As a result, there are questions that require answering; namely how do you comply and when can you transfer data?

When can personal data be transferred outside the European Union?

Personal data may only be transferred outside of the EU in compliance with the conditions for transfer. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection.

You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. Adequate safeguards may be provided for by:

  • a legally binding agreement between public authorities or bodies;
  • binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
  • standard data protection clauses in the form of template transfer clauses adopted by the Commission;
  • standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
  • compliance with an approved code of conduct approved by a supervisory authority;
  • certification under an approved certification mechanism as provided for in the GDPR;
  • contractual clauses agreed authorised by the competent supervisory authority; or
  • provisions inserted in to administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.

Complying with the regulation

In compliance with GDPR, organisations must ensure measures have been taken to minimise risk and the chance of data breach.  These processes and policies will also ensure organisations are accountable and can be governed; part of the ICO guidelines on GDPR reads, organisations must “implement appropriate technical and organisational measures that ensure and demonstrate compliance”.

If firms do not comply with the regulations that are put forward by GDPR, they can be subject to hefty fines. Both the data controller and the data processor will be subject to fines, with the regulatory bodies of each country working in tandem to establish the appropriate measures to take. For the UK, the ICO will be funded by the fines that they administer – meaning they will have a vested interest in ensuring that fines are as large as possible. Furthermore, companies of all sizes will be subject to punishment for non-compliance. Recently, the Spanish authorities fined Facebook for having inadequate data sharing policies, the fine totalled to 1.2 million euros. Facebook was found guilty of ‘not adequately collecting the consent of either their users or non-users’

 

POPI vs GDPR

GDPR operates in a similar vein to the Protection of Personal Information Act (POPI) altering the scope of data protection, management and governance in South Africa.

POPI, simply put, is legislation that protects a person’s right to privacy and the measures that must safeguard their personal information when it is processed by a responsible party. The eight principles governing the protection of personal information – during its processing and use – against loss, damage and its unlawful or unauthorised access, processing and destruction. The principles are summarised as the following:

  1. Accountability
  2. Processing Limitation
  3. Purpose Specification
  4. Further Processing Limitation
  5. Information Quality
  6. Openness
  7. Security Safeguards
  8. Data Subject Participation

10 things every IT service provider should know about providing Azure Kubernetes Services (AKS) backup

Kubernetes data protection represents a massive opportunity. Around 30% of global organizations are currently running containerised applications in production – by 2022, Gartner predicts that figure will be as high as 75%.

Continue reading
Vital new role of AI in keeping backup data safe from malware

Vital new role of AI in keeping backup data safe from malware

Every day more than 350,000 new types of malware are unleashed on the internet. The scale of the problem is so massive, it is no longer enough to have traditional anti-virus software, solely defending against known threats.

Continue reading
Xero Data Backup

Why you should consider Xero Data Backup for your accountancy firm

Ignoring the need for a third-party backup is a major gamble. Xero’s own Services Agreement states: “You must maintain copies of all data inputted into the service. Xero expressly excludes liability for any loss of data no matter how caused.”
Continue reading