For African businesses looking to trade with the European Union, non-compliance could mean non-business.
The protection of data has been the subject of thousands of conversations globally. As more businesses transform digitally, how they handle and analyse data is coming under intense scrutiny.
With cybercrime growing by the day, businesses and governments are prioritising data protection and privacy – to avoid financial loss and maintain steady productivity.
The introduction of the General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, is set to take on a more ambitious approach to data protection.
Although GDPR is designed to strengthen data protection within the European Union (EU), African businesses – and start-ups – are not entirely ruled out. Be careful not to fall into the trap of assuming the regulation does not apply to you.
If GDPR does apply to you, using a Cloud service can help you become compliant quickly and easily, minimising the time and resources you would need.
What is GDPR, and whom does it apply to?
GDPR is a new regulation that will provide individuals in the EU with greater control over their personal information. It will introduce tighter rules on organisations that handle, collect or analyse personal data, be it a contact number, photo or IP address. National regulators will also have increased authority to impose substantial consequences on organisations who do not comply.
The reason why African businesses need to take notice is because the regulation also addresses the export of personal data outside of the EU.
Simply put, if you do – or ever plan to do – business with or process the data of any individual living in the EU, GDPR applies to you, irrespective of your size or where you are.
Why should start-ups be concerned about GDPR?
Microsoft 4Afrika believes in taking local innovation to the world – empowering start-ups with the skills, resources and technology to scale beyond our borders. As we bring more entrepreneurs, businesses and developers online and into the Cloud, they have the opportunity to market their products, apps and solutions internationally.
However, as countries impose tighter regulations on data protection, start-ups who do not comply will be limited in their ability to scale and operate internationally – or even secure overseas investment.
Without adequate security practices in place, start-ups will be seen by European countries as a high risk from a data protection perspective, and they won’t do business with you.
Not complying with GDPR will limit your ability to have employees in the EU, sell or market your products online or offline in the EU, partner with an EU organisation; or receive funding from an EU-based investor.
GDPR is also set to become the standard benchmark for data protection. Even if you aren’t affected by this specific regulation today, you could be affected by a new one tomorrow, as countries continue to ramp up their own data protection laws.
Countries like South Africa, for example, have signed the Protection of Personal Information Act (POPI) into law. Similar to GDPR, businesses and governments will be lawfully responsible for collecting, storing and using personal information. For businesses with ties to the EU, they will need to comply with both POPI and GDPR, or risk facing hefty fines.
The best option for startups who hope to succeed in today’s digital age is to start introducing robust data protection practices now.
What is expected
There are five best practices that GDPR will expect organisations to adhere to:
- Will not be able to re-use or disclose personal information for purposes that do not link back to its original intended purpose. Organisations are required to be transparent with individuals about how their data will be used, under a lawful basis.
- Will be required to take steps ensuring that personal information is kept secure and backed up through organisational and technical security measures.
- Data must only be kept for as long as it is needed – restricting the storage of personal information.
- Personal data will need to be accurate. In cases where it is not, corrections must be made. Individuals will have the right to update any of their personal information that is incorrect.
- The collection and storage of any data must be kept minimal, collecting only what is adequate and relevant for the intended purpose.
Becoming compliant through the cloud
Becoming GDPR-compliant – or even implementing similar security measures of your own – doesn’t have to be a difficult process.
Nearly a decade ago, Microsoft established its Trusted Cloud Principles to guide Microsoft Cloud technology. Through sophisticated, built-in controls, Microsoft is able to expedite and assist organisations in becoming GDPR compliant.
By May 25, 2018, when businesses use the Microsoft Cloud to process data – be it Office 365, Dynamics 365 Windows 10 or Azure – they will be using services already compliant with the highest standards in data protection. Start-ups working with 4Afrika will receive access to these cloud-based services, automatically giving them “built-in” compliance.
If businesses are to remain relevant in today’s market, digital transformation coupled with data protection must exist at the heart of their business models. Cloud services are proving to be revolutionary for businesses aiming to digitally transform their operating systems. With the launch of Microsoft’s two local data centres in South Africa, organisations will have more easy, trusted and affordable access to the Cloud than ever before.
Louis Otieno is the corporate affairs director at Microsoft4Afrika.