GDPR and 2018
What is GDPR and why should it be of relevance to Malawi and our national IT policy? GDPR stands for General Data Protection Regulation aimed at strengthening data protection in the EU – and is due to be introduced in May 2018.This is strict regulation aimed at making organisations that handle, collect or analyse personal data, legally responsible for the correct management of the same.
It strengthens the rights of individuals in the EU – enabling greater control over their personal information. Sanctions are substantial. It will introduce tighter rules on organisations that handle, collect or analyse personal data. Built in will be the rights of individuals to access, be informed, or rectify personal data held by these organisations.
So – why should this affect us here in Malawi, or Africa? Simply – if you choose to do business with, or access data of any entity in the EU – then these regulations will apply to you. The new regulation will affect every organisation across the globe that wants to do business with an individual or business in the EU. Some organisations based in Malawi come to mind – ISPs, banks and financial services organisations are at the top of the list. But any international organisation with a presence in the EU, or a local organisation working with EU citizens – will need to look at and understand this regulation and reflect the requirements of it to continue.
How about startups – entrepreneurs and developers – seeking to expand their services and products on the international market? How about those seeking overseas investment? Those who do not comply will be restricted from operating internationally – and will probably be seen as high risk – both restricting your ability to do business and/or to raise funds. And now – the advent of the cloud has made it more important than ever to look seriously to embed the right data protection procedures into your business.
There are two fundamental areas this legislation is seeking to focus on. Secure data protection and the requirement to report on data security breaches. To do this a number of best practice points are being mooted as the way forward. Entities must consider and comply with the following. They will be required to implement procedures to ensure that personal information is kept secure and backed up through established technical and business practice security measures.
Personal data stored must be accurate and individuals owning that data will have the right to examine and rectify or erase any of their personal information that is incorrect. Data must not be stored for longer than it is needed. Information will not be allowed to be re-used (refer to the selling of email address to online spam companies) or disclosed for any reason other than that for which it was collected, and individuals must be informed on how the data collected will be used.
A number of online social network companies already do this – have a look at the End User Licence Agreement (EULA) for further clarification on what your data will or will not be used for. Facebook and Google, for example, are very clear about what they will or will not use the data they have collected in your name – if in doubt have a read of the privacy policies online. Countries that seek to exploit the global market are already ramping up their data protection regulations to take into account the requirements of GDPR.
A vibrant writer who gives a great insight on hot topics and issues