What compliance needs to know about data privacy

By: James George, Compliance Manager, Compli-Serve SA

You don’t have to be a tech-savvy computer boffin to address the basics of data privacy. Like many areas compliance departments oversee, asking the right questions and getting the right internal controls in place are the most important first steps to addressing data privacy concerns within an organisation. The problem is, many companies aren’t doing this process.

Data privacy compliance is built on the same foundation as other regulatory undertakings that compliance professionals are already familiar with, and deal with on a daily basis– such as the FAIS Act, FIC, Banks Act and others.

SA lags quite far behind many other countries around the world in implementing comprehensive data privacy laws. Many countries – with Europe taking the lead -have had these in place for many years already, and SA is now among them, though we are still awaiting the commencement date.

What this means for SA

Many SA-based compliance professionals are not as familiar with what data privacy laws are and, equally important, how a company complies. Especially for companies doing business internationally, this is a small but fast-growing problem. While enforcement has been low relative to the high penalties we’ve seen for other types of regulatory enforcement, we are experiencing a perfect storm: the volume of data and sophistication of technology is growing, while more countries are enacting and strengthening data privacy laws.

Enforcement and legal activity continues at a fast pace. Earlier this year, Italy imposed a record data privacy fine of €5.9 million (a little over R91 million at the time of this article being written) on a UK company for violating Italian data privacy consent rules. In that case, the UK company had sent money transfers to China without consent of users. A few days later, Russia enacted a law increasing fines for violating Russian data protection laws.

In 2018, the EU’s General Data Protection Regulations will come into effect, introducing fines of up to €20 million (almost R310 million) or 4% of annual revenue, whichever is greater, for data breaches. In the future, we may see much larger fines, making now the time for compliance departments to act.

Mitigation of risk

Compliance departments mitigate regulatory risks, and data privacy laws are no exception. As a new but quickly growing area of concern, compliance professionals who take an active approach, putting into place basic data privacy components, will find themselves far ahead of the game.

Addressing data privacy should be done the same way other risks are: assess your risk sources, design appropriate risk mitigation steps such as policies and procedures, assign responsibility and training, and set up internal controls, and then of course implement these steps. To do so effectively, compliance professionals must work closely with their IT department, relying upon them as a partner similar to HR.

Data privacy is not as easy as other compliance department risk areas, but ignore it at your peril.