GDPR: The implications for Africa

In a previous article, we gave you a quick breakdown on 5 things you need to know about Data Protection. In the weeks since then, Amazon was hit with an $886.6m fine for allegedly breaking European Union data protection laws. Amazon is not the first to be penalised under the GDPR however, this fine is the largest there has been thus far. The details regarding Amazon’s alleged breach are somewhat hazy however, GDPR guidelines regarding infringement and the $886m penalty would suggest it was a serious breach.

Just a quick re-cap. The General Data Protection Regulation (GDPR) came into effect in 2018 and quickly became the ‘gold-standard’ on the handling and protection of personal data not only within Europe but internationally. Among the key areas of compliance is Article 1 of the GDPR, which lays down the subject matter and objectives of the regulation as protecting EU natural persons (subjects) with regards to the processing of personal data and rules relating to the free movement of personal data. It makes it a requirement for companies and entities serving EU subjects to ask for subjects’ data in a clear and accessible language. Additional requirements include:

• the deletion of data should a subject request for it;
• accounting of how and why subjects’ data is processed; and
• upon request, providing subjects with copies of their data in machine readable format.

Other rights that accrue to the data subject such as the right to erasure, data portability, consent, right to know, rectification, and right to be informed, have been prioritised. Infringement of provisions of the GDPR may result in administrative fines of up to €20 million, or up to 4% of an entity’s annual turnover.

Within Africa, knowledge and implementation of GDPR requirements has, for the most part,  been limited to large corporations. African countries have slowly been enacting laws to protect the digital data of citizens for example the Protection of personal information Act (POPIA) in South Africa, and the Cyber and Data Protection Bill in Zimbabwe. However, this has the potential effect of providing a false sense of security particularly where the legislation is not at par with the GDPR.

If the potential fines are not compelling enough to deter African organisations from non-compliance then perhaps some incentives. EU organisations are required to not only ensure that they are GDPR compliant but also that the third party organisations they deal with or potentially share personal data with are also GDPR compliant. Resultantly, African organisations are presented with a rare opportunity to establish and strengthen strategic partnerships with EU organisations, leveraging their resources and substantially lower costs of doing business, through GDPR compliance.

In May 2021 at the Summit of Financing African Economies, the European Union committed to accelerating its financial efforts in favour of a sustainable and inclusive growth model led by Africa’s dynamic private sector and investment into quality infrastructure. Over the next seven years, under the new EU financing instrument, “Global Europe”, €29 billion is foreseen for Sub-Saharan Africa with the view of complementing the existing partnerships and joint-ventures between European and African companies. It follows therefore, that adherence to the GDPR by African entities may determine whether they attract of retain more European business partners.

In light of Amazon’s judgement, it is imperative, particularly for organisations in Africa to recognise the importance of GDPR compliance if they are EU based, monitor the behaviour of or offer goods or services to clients in the EU. Regardless of jurisdiction, infringement will not be tolerated. To ensure that innovators and business entities in Africa remain competitive and avoid hefty fines under the GDPR, capacity enhancement in infrastructure and human resources to ensure appropriate data collection, storage and processing will be required as a matter of urgency.