Compliance with Data Protection Regulations
11.04.2018 Views
Share Embed Flag

Compliance with Data Protection Regulations

ePAPER READ
DOWNLOAD ePAPER
NanaEwukuba

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

<strong>Compliance</strong> <strong>with</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Regulations</strong><br />

Introduction<br />

Here at Griffin legal, we have a strong resolve to protect the interests of our clients. We try to<br />

understand the industries from which our clients operate and study the nature of your business<br />

to enable us provide you <strong>with</strong> cutting-edge information which allows you to get ahead in your<br />

business.<br />

<strong>Data</strong> protection has become one of the major concerns in recent times. There has arisen an<br />

urgent need to protect the privacy right of persons because of recent data breaches exposing<br />

the personal data of persons who in some cases had no idea that other persons were<br />

processing and controlling their data.<br />

Accordingly, many countries in an effort to regulate the protection of data have passed laws<br />

imposing responsibilities and obligations on legal and natural persons who process and control<br />

personal data as part of delivering their services.<br />

We know, through our past dealings <strong>with</strong> your company, as your advisors, that you provide<br />

security and profiling services to airlines here in Ghana, and as part of your work, you collect<br />

personal data on behalf of your client either on their instruction or on your own accord.<br />

It is our goal to educate you on the obligations imposed on your company by law, in activities<br />

which amount to processing and collecting personal information from persons and entities <strong>with</strong><br />

whom you transact business.<br />

<strong>Data</strong> <strong>Protection</strong> Act, 2012 (Act 843)<br />

This law regulates the collection and enforces the protection of personal data in Ghana. It<br />

came into effect on 16 October, 2012 but registration of data controllers and processes began<br />

on 1 January, 2015.<br />

The law sets out the rules and principles governing the collection, use, disclosure and care for<br />

personal data or information by a data controller or processor. It recognises a person’s right<br />

to protect their personal data or information by mandating a data controller or processor to<br />

process (collect, use, disclose, erase, etc.) such personal data or information in accordance<br />

<strong>with</strong> the individual’s privacy rights provided by Article 18(2) of the 1992 Constitution of Ghana.<br />

<strong>Data</strong> Processing Obligations<br />

This law imposes a duty on all persons or entities which collect personal information such as<br />

names, telephone numbers, pictures, addresses etc. from their customers to register <strong>with</strong> the<br />

<strong>Data</strong> <strong>Protection</strong> Commission. The application of this law is not industry specific but applies to<br />

all industries.<br />

Who is a <strong>Data</strong> Controller?<br />

A data controller is a natural or legal person who controls and is responsible for the collection,<br />

keeping and use of personal information in computer systems or in manual files.<br />

If an organisation controls and has responsibility over the personal information it collects or<br />

holds, then that organisation is a data controller. That entity must be responsible for any of the<br />

following:<br />

<br />

<br />

<br />

Collect, hold and process personal information.<br />

Determine how personal information collected should be used.<br />

Determine what personal information should be collected and or kept.

Who is a <strong>Data</strong> Processor?<br />

A natural or legal person could be a data processor if it does any of the following:<br />

<br />

<br />

Collect, hold or process personal data, but does not exercise responsibility for or<br />

control how the personal data is used.<br />

Have little or no freedom in the determination of what the data processing should entail.<br />

If you or your organisation process the personal information, but some other individual or<br />

organisation decides and is responsible for how you process that personal information, then<br />

the said individual or other organisation that determines how you process the personal<br />

information is the data controller, and your organisation is the data processor.<br />

It is possible for a person or entity to be both a data controller and a data processor, in respect<br />

of distinct sets of personal information.<br />

General <strong>Data</strong> <strong>Protection</strong> <strong>Regulations</strong> (GDPR)<br />

The General <strong>Data</strong> <strong>Protection</strong> Regulation (GDPR) standardizes data protection law across all<br />

28 EU countries and imposes strict new rules on controlling and processing personally<br />

identifiable information (PII). It also extends the protection of personal data and data protection<br />

rights by giving control back to EU residents. GDPR replaces the 1995 EU <strong>Data</strong> <strong>Protection</strong><br />

Directive, and goes into force on May 25, 2018.<br />

There are many essential items in the regulation, including increased fines, breach<br />

notifications, opt-in consent and responsibility for data transfer outside the EU. As a result, the<br />

impact to businesses is huge and will permanently change the way customer data is collected,<br />

stored, and used.<br />

GDPR applies to all organizations holding and processing EU resident’s personal data,<br />

regardless of geographic location. Many organisations outside the EU are unaware that the<br />

EU GDPR regulation applies to them as well. If an organization offers goods or services to, or<br />

monitors the behaviour of EU residents, it must meet GDPR compliance requirements.<br />

Fines for noncompliance are large. They can be as high as €20 million or 4% of a company’s<br />

total global revenue, whichever is larger. This is the maximum fine that can be imposed for<br />

the most serious violations, e.g. not having sufficient customer consent to process data or<br />

violating core Privacy by Design concepts. However, there is a tiered approach to fines, e.g.<br />

a company can be fined 2% for not having their records in order, not notifying the supervising<br />

authority and data subject about a breach, or not conducting an impact assessment. It is<br />

important to note that these rules apply to both controllers and processors.<br />

Next Steps<br />

Your company must as a matter of urgency determine if it is a data controller or processor and<br />

take steps to comply <strong>with</strong> the <strong>Data</strong> <strong>Protection</strong> Act, 2012 (Act 843).<br />

We have included information on the GDPR because we are aware that you offer services to<br />

European airlines and may process personal information of EU citizens from time to time.<br />

Steps must be taken to comply <strong>with</strong> the GDPR to avoid possible liability arising from any<br />

breach of the regulations when it comes into force on May 25, 2018.<br />

Should you have any data protection queries, please contact Griffin Legal here.<br />

Likewise, if you require assistance drafting GDPR compliant contracts, please contact<br />

a member of Griffin Corporate’s Commercial Transaction team here.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!