Compliance with Data Protection Regulations
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Who is a <strong>Data</strong> Processor?<br />
A natural or legal person could be a data processor if it does any of the following:<br />
<br />
<br />
Collect, hold or process personal data, but does not exercise responsibility for or<br />
control how the personal data is used.<br />
Have little or no freedom in the determination of what the data processing should entail.<br />
If you or your organisation process the personal information, but some other individual or<br />
organisation decides and is responsible for how you process that personal information, then<br />
the said individual or other organisation that determines how you process the personal<br />
information is the data controller, and your organisation is the data processor.<br />
It is possible for a person or entity to be both a data controller and a data processor, in respect<br />
of distinct sets of personal information.<br />
General <strong>Data</strong> <strong>Protection</strong> <strong>Regulations</strong> (GDPR)<br />
The General <strong>Data</strong> <strong>Protection</strong> Regulation (GDPR) standardizes data protection law across all<br />
28 EU countries and imposes strict new rules on controlling and processing personally<br />
identifiable information (PII). It also extends the protection of personal data and data protection<br />
rights by giving control back to EU residents. GDPR replaces the 1995 EU <strong>Data</strong> <strong>Protection</strong><br />
Directive, and goes into force on May 25, 2018.<br />
There are many essential items in the regulation, including increased fines, breach<br />
notifications, opt-in consent and responsibility for data transfer outside the EU. As a result, the<br />
impact to businesses is huge and will permanently change the way customer data is collected,<br />
stored, and used.<br />
GDPR applies to all organizations holding and processing EU resident’s personal data,<br />
regardless of geographic location. Many organisations outside the EU are unaware that the<br />
EU GDPR regulation applies to them as well. If an organization offers goods or services to, or<br />
monitors the behaviour of EU residents, it must meet GDPR compliance requirements.<br />
Fines for noncompliance are large. They can be as high as €20 million or 4% of a company’s<br />
total global revenue, whichever is larger. This is the maximum fine that can be imposed for<br />
the most serious violations, e.g. not having sufficient customer consent to process data or<br />
violating core Privacy by Design concepts. However, there is a tiered approach to fines, e.g.<br />
a company can be fined 2% for not having their records in order, not notifying the supervising<br />
authority and data subject about a breach, or not conducting an impact assessment. It is<br />
important to note that these rules apply to both controllers and processors.<br />
Next Steps<br />
Your company must as a matter of urgency determine if it is a data controller or processor and<br />
take steps to comply <strong>with</strong> the <strong>Data</strong> <strong>Protection</strong> Act, 2012 (Act 843).<br />
We have included information on the GDPR because we are aware that you offer services to<br />
European airlines and may process personal information of EU citizens from time to time.<br />
Steps must be taken to comply <strong>with</strong> the GDPR to avoid possible liability arising from any<br />
breach of the regulations when it comes into force on May 25, 2018.<br />
Should you have any data protection queries, please contact Griffin Legal here.<br />
Likewise, if you require assistance drafting GDPR compliant contracts, please contact<br />
a member of Griffin Corporate’s Commercial Transaction team here.