Compliance with Data Protection Regulations
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Compliance</strong> <strong>with</strong> <strong>Data</strong> <strong>Protection</strong> <strong>Regulations</strong><br />
Introduction<br />
Here at Griffin legal, we have a strong resolve to protect the interests of our clients. We try to<br />
understand the industries from which our clients operate and study the nature of your business<br />
to enable us provide you <strong>with</strong> cutting-edge information which allows you to get ahead in your<br />
business.<br />
<strong>Data</strong> protection has become one of the major concerns in recent times. There has arisen an<br />
urgent need to protect the privacy right of persons because of recent data breaches exposing<br />
the personal data of persons who in some cases had no idea that other persons were<br />
processing and controlling their data.<br />
Accordingly, many countries in an effort to regulate the protection of data have passed laws<br />
imposing responsibilities and obligations on legal and natural persons who process and control<br />
personal data as part of delivering their services.<br />
We know, through our past dealings <strong>with</strong> your company, as your advisors, that you provide<br />
security and profiling services to airlines here in Ghana, and as part of your work, you collect<br />
personal data on behalf of your client either on their instruction or on your own accord.<br />
It is our goal to educate you on the obligations imposed on your company by law, in activities<br />
which amount to processing and collecting personal information from persons and entities <strong>with</strong><br />
whom you transact business.<br />
<strong>Data</strong> <strong>Protection</strong> Act, 2012 (Act 843)<br />
This law regulates the collection and enforces the protection of personal data in Ghana. It<br />
came into effect on 16 October, 2012 but registration of data controllers and processes began<br />
on 1 January, 2015.<br />
The law sets out the rules and principles governing the collection, use, disclosure and care for<br />
personal data or information by a data controller or processor. It recognises a person’s right<br />
to protect their personal data or information by mandating a data controller or processor to<br />
process (collect, use, disclose, erase, etc.) such personal data or information in accordance<br />
<strong>with</strong> the individual’s privacy rights provided by Article 18(2) of the 1992 Constitution of Ghana.<br />
<strong>Data</strong> Processing Obligations<br />
This law imposes a duty on all persons or entities which collect personal information such as<br />
names, telephone numbers, pictures, addresses etc. from their customers to register <strong>with</strong> the<br />
<strong>Data</strong> <strong>Protection</strong> Commission. The application of this law is not industry specific but applies to<br />
all industries.<br />
Who is a <strong>Data</strong> Controller?<br />
A data controller is a natural or legal person who controls and is responsible for the collection,<br />
keeping and use of personal information in computer systems or in manual files.<br />
If an organisation controls and has responsibility over the personal information it collects or<br />
holds, then that organisation is a data controller. That entity must be responsible for any of the<br />
following:<br />
<br />
<br />
<br />
Collect, hold and process personal information.<br />
Determine how personal information collected should be used.<br />
Determine what personal information should be collected and or kept.
Who is a <strong>Data</strong> Processor?<br />
A natural or legal person could be a data processor if it does any of the following:<br />
<br />
<br />
Collect, hold or process personal data, but does not exercise responsibility for or<br />
control how the personal data is used.<br />
Have little or no freedom in the determination of what the data processing should entail.<br />
If you or your organisation process the personal information, but some other individual or<br />
organisation decides and is responsible for how you process that personal information, then<br />
the said individual or other organisation that determines how you process the personal<br />
information is the data controller, and your organisation is the data processor.<br />
It is possible for a person or entity to be both a data controller and a data processor, in respect<br />
of distinct sets of personal information.<br />
General <strong>Data</strong> <strong>Protection</strong> <strong>Regulations</strong> (GDPR)<br />
The General <strong>Data</strong> <strong>Protection</strong> Regulation (GDPR) standardizes data protection law across all<br />
28 EU countries and imposes strict new rules on controlling and processing personally<br />
identifiable information (PII). It also extends the protection of personal data and data protection<br />
rights by giving control back to EU residents. GDPR replaces the 1995 EU <strong>Data</strong> <strong>Protection</strong><br />
Directive, and goes into force on May 25, 2018.<br />
There are many essential items in the regulation, including increased fines, breach<br />
notifications, opt-in consent and responsibility for data transfer outside the EU. As a result, the<br />
impact to businesses is huge and will permanently change the way customer data is collected,<br />
stored, and used.<br />
GDPR applies to all organizations holding and processing EU resident’s personal data,<br />
regardless of geographic location. Many organisations outside the EU are unaware that the<br />
EU GDPR regulation applies to them as well. If an organization offers goods or services to, or<br />
monitors the behaviour of EU residents, it must meet GDPR compliance requirements.<br />
Fines for noncompliance are large. They can be as high as €20 million or 4% of a company’s<br />
total global revenue, whichever is larger. This is the maximum fine that can be imposed for<br />
the most serious violations, e.g. not having sufficient customer consent to process data or<br />
violating core Privacy by Design concepts. However, there is a tiered approach to fines, e.g.<br />
a company can be fined 2% for not having their records in order, not notifying the supervising<br />
authority and data subject about a breach, or not conducting an impact assessment. It is<br />
important to note that these rules apply to both controllers and processors.<br />
Next Steps<br />
Your company must as a matter of urgency determine if it is a data controller or processor and<br />
take steps to comply <strong>with</strong> the <strong>Data</strong> <strong>Protection</strong> Act, 2012 (Act 843).<br />
We have included information on the GDPR because we are aware that you offer services to<br />
European airlines and may process personal information of EU citizens from time to time.<br />
Steps must be taken to comply <strong>with</strong> the GDPR to avoid possible liability arising from any<br />
breach of the regulations when it comes into force on May 25, 2018.<br />
Should you have any data protection queries, please contact Griffin Legal here.<br />
Likewise, if you require assistance drafting GDPR compliant contracts, please contact<br />
a member of Griffin Corporate’s Commercial Transaction team here.