Human beings generate roughly 2.5 quintillion bytes of data every day. That is a staggering statistic, and it is always rising.
Data is just as vital for established conglomerates as it is for startups because of the invaluable insights it can offer. That is why organisations leave no stones unturned in collection and processing.
Because data is so precious, it must be kept safe from corruption, compromise, and misuse. In a data-driven world like ours, data protection laws lay the ground rules to ensure it is used correctly and fairly.
The GDPR is a regulation set up to uphold the data protection rights of EU citizens. On May 25th, 2018, two years of preparation came to a head leading to the enforcement of the regulation. In this article, I will show you its impacts on you as a tech entrepreneur operating in Africa.
What is the GDPR?
GDPR stands for General Data Protection Regulation. It is a legal framework designed to give people living in European Union countries more control over online personal information.
The gold standard for data protection worldwide, the law establishes the guidelines for the collection, processing, and use of data belonging to individuals living in that area. In essence, companies with EU users must take responsibility for the personal data that they collect, transmit, store, and use.
The GDPR results from extensive European Commission data protection reforms initially proposed in January 2012. The objectives of those reforms? To make Europe “fit for the digital age”. The GDPR replaced the Data Protection Directive adopted in the early days of the internet. While that regulation left much open to interpretation, the GDPR meticulously lays out the details of its expectations and the punishments for defying them.
Personal data protected
The data that falls under the purview of the GDPR include:
- Name, home address, identification numbers
- Web and location data, such as IP address, cookie ID, device ID, RFID tags
- Biometric data, such as fingerprints and facial imaging
- Personal medical data
- Racial and ethnic data
- Religious and ideological convictions
- Union membership
GDPR and African Tech Startups
If the GDPR is essentially a European Union regulation, does it affect your tech startup here in Africa? The short answer: yes, it does.
Here’s why. Even though it was drafted in Europe, the GDPR places mandates on organisations around the world as long as they:
- Target individuals based in EU countries
- Collect data from those individuals
It also significantly affects any African business with an online presence, including tech startups.
African tech firms are increasingly taking centre stage globally despite massive impediments such as insufficient access to capital. With 27 developed countries, the European Union presents a significant target market for firms seeking to establish a foothold in the global ecosystem and even locally.
Bear in mind that the rate of adoption of data protection regulations in Africa is regrettably low. Only about half of the continent’s 54 countries have set up relevant laws. The GDPR was a catalyst for the formulation of some of those and still serves as a model to drive future regulations.
Until all African countries create and enforce data protection laws, and even then, the GDPR will remain a standard that demands compliance from businesses with EU users.
The GDPR is not the simplest of regulations, and understanding what it requires from businesses can be a daunting task.
On that note, here is an easy-to-follow breakdown of the seven principles of the GDPR.
- Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently. Essentially, the data subject must give informed consent. The processing must be legal and not fall under a legal grey area. In terms of fairness, you must not mishandle the data you collect. Under transparency, individuals must be able to know who you are and what you are using their data for.
- Purpose Limitation: The purpose you collect and process data must be specified, explicit, and clearly established. You must have a privacy notice that spells this out to anyone who views it. If you need to use collected data for any other purpose, you must ask for consent to do so.
- Data Minimization: Data is gold, but that does not mean you should be greedy. Based on this principle, you must only collect the data that is relevant for your business purposes. Asking for a phone number or home address for a survey would be going overboard.
- Accuracy: The responsibility lies on you to ensure that collected data is accurate and up-to-date. Regular audits should lead to the correction or erasure of incorrect data. Also, you should take note and comply if a data subject asks for correction or deletion.
- Storage Limitation: Your data retention periods should justify the length of time you store personal data. Collected data should be anonymized or deleted after the need to keep it expires.
- Integrity and Confidentiality: The personal data that you collect falls under your protection. To maintain integrity and confidentiality, put in place appropriate procedures to protect it from unauthorized use, theft, or compromise.
- Accountability: Don’t just say you’re following the rules; be accountable for it. Place measures in place to help you comply and then keep records that can verify your efforts. This will bail you out if you fall into a dicey situation with regulators.
GDPR principles go hand in hand with the data protection rights granted to EU citizens. There are eight fundamental rights:
- Right to access personal data
- Right to rectification (correction)
- Right to erasure
- Right to restrict data processing
- Right to be notified
- Right to data portability
- Right to object
- Right to not be subjected to automated individual decision-making
There are caveats to these rights; they are not absolute.
Penalties for Non-Compliance
One of the major differences between the GDPR and previous legislation is the punitive measures that come with non-complying. The punishment for violating GDPR requirements comes with severe repercussions depending on a variety of factors.
Lower level non-compliance can result in fines of up to €10 million or 2% of a company’s annual revenue. For more severe violations, organizations can receive fines of up to €20 million or 4% of annual revenue. In both of these cases, the company will pay the higher of the figures — between standard fine and revenue.
Since 2018, the Information Commissioner’s Office (ICO), the body regulating the legislation, has dished out more than 1,100 fines. In total, that amounts to over €1.2 billion. Amazon, with €746 million, has received the lion’s share of that.
So far, no African tech company has fallen under the ICO’s hammer. Don’t take that for granted though. It is safe to assume that the regulator has granted African companies some leniency so far. However, that could change at any time. The rate of punitive measures has soared over the last couple of years. It is only a matter of time before companies in the continent receive more attention.
How can your startup be compliant?
If your tech startup has been in business for a while, then chances are that you already have measures in place for data protection.
At the very least, you should have systems set up to protect the personal information that you collect from individuals to prevent loss, theft, or unauthorised use. Appropriately tweaking these may be all you need to keep your startup in the GDPR’s good books.
These are some steps you can take to ensure compliance:
- Study the GDPR. As previously mentioned, it is a complex document. However, studying it anyway can help keep you from straying from its ambition.
- Audit the personal data that your company collects and stores from individuals. Document where it comes from, if possible.
- Put systems in place to comply with data subjects’ rights. Study the 8 rights I highlighted above. For instance, if an individual asks that you erase their data, you should be able to do so.
- Review the personal data that you hold on children. Under the GDPR, processing the data of children under the age of 16 is only lawful under the consent of their parents or guardians. Does your company bear this in mind? It should.
- Encrypt the personal data in your possession. Encryption keeps your collected data safe and private.
- Reach out to compliant businesses for help. Remember that the regulation affects businesses globally. If you struggle with aspects of the GDPR, asking other tech companies for direction, especially established ones, can help you stay in the clear. You may want to restrict this to non-rival companies just to be safe.
My Experience With GDPR
Between 2018 and 2019, I took on a managerial role in a West African Outdoor Advertising Agency with high ambitions to merge digital experiences into outdoor advertising. During this period, where I managed a third party web development agency to create an automated process for billboard booking and inventory management for advertising spaces, I got to gain a lot of hands-on experience about GDPR.
We became one of the very few African businesses that strived to ensure maximum compliance with GDPR stipulations. This distinguished the company from the rest of the pack and made it easier for us to engage confidently with clients in and from the EU.
As the founder of a tech startup in Africa, you must keep a finger on the pulse of countless issues so your business can sail smoothly. Not least of all is the GDPR, the regulation that sets rules in place regarding data protection and privacy.
Whether or not you have a physical presence in the European Union, this law is one you should observe. If your business is in South Africa, Nigeria, Rwanda, or a score of other countries, complying with local laws will make doing so significantly easier.
Either way, study the regulations and put systems in place to adhere to them. That way, you won’t have to worry about forking out thousands, or even millions, of euros in fines.
ARTICLE WAS WRITTEN BY JIDE WILLIAMS