Search for:

Legal Trends

#BizTrends2018: 'Privacy by Design' - Africa's best chance for global data protection compliance

The European Union's General Data Protection Regulation (GDPR), which will be implemented on 25 May 2018, is raising the bar for data protection globally, and setting a new gold standard in a digitally transforming world.
#BizTrends2018: 'Privacy by Design' - Africa's best chance for global data protection compliance
© Oleksandr Omelchenko – 123RF.com

While policymakers and legal systems attempt to get to grips with the imminent changing landscape of data protection laws across the globe, there is much that business can and should do in the meantime to get itself ready.

African businesses may find themselves squarely within the GDPR's wide territorial reach if they have a presence in the EU, or offer goods and services or monitor individuals in the EU. Moreover, transfers of personal information outside of the EU will only be permitted subject to strict requirements. The GDPR therefore brings data protection laws around the world into sharp focus, and Africa is no exception.

Alexia Christie
Alexia Christie

In Africa, data protection laws are largely in a state of flux, and many African nations are a long way from meeting any 'adequacy' requirement. If Africa wants to participate in the global market come 2018, it will have to move quickly. On the African continent, we are likely to see a proliferation of data protection legislation, much of which may seek to align with the requirements of the GDPR. It makes business sense to achieve an 'adequate level' of data protection as this will facilitate the free flow of data into and out of the EU, and may serve as a competitive advantage for business in Africa. However, relying solely on law and policy makers may be too little, too late for business. What then can African businesses do in the interim, whilst law-makers and regulators get their affairs in order? The answer may lie with an often-overlooked principle espoused in the GDPR: Privacy by Design.

Privacy by Design and the related principle of Privacy by Default are embodied in Article 25 of the GDPR. Privacy must be integral to the organisational priorities, design processes and planning operations of every business. Practically, this means that privacy must be considered at every organisational level, from buy-in at board level, to development and implementation of systems and processes. It means that business should build systems and technologies with data protection at the core. This will ensure that the right systems are built from the outset, and will avoid the costly and time-consuming exercise of remedying mistakes.

Practical next steps for business in Africa

Rubeena Parker
Rubeena Parker

Drawing on the key principles of Privacy by Design as articulated by the former Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, we anticipate some steps shrewd African businesses might take towards getting GDPR-ready:

  • be pro-active, and develop a culture of "continuous improvement";
  • use privacy as the default setting;
  • embed privacy into the design and architecture of all systems;
  • balance privacy and security: do not sacrifice functionality at the altar of data protection;
  • ensure "cradle to the grave" protection: protect data across its entire life-cycle, from collection to destruction;
  • keep systems and practices visible and transparent; and
  • maintain focus on the user and the need to respect user privacy.

Visible commitment to the principle of Privacy by Design will show that your business is working towards full compliance with the GDPR, and may create a competitive advantage. This may be more effective and more expedient than waiting for 'adequate' legislation to do the work alone.

About Alexia Christie and Rubeena Parker

Alexia Christie is a partner and Rubeena Parker Rubeena Parker, an associate, in the Technology, Media, Telecommunications & Intellectual Property Practice at Webber Wentzel.
Let's do Biz