Companies need to consider and address their global privacy compliance requirements
RSM's Thilen Pillay: "Disparities in African data protection law plus the EU's GDPR can be quite overwhelming."
Globally, privacy is an increasingly pressing issue for businesses. Many companies these days do business globally. This could be from having a worldwide customer base, as is the case for many e-commerce businesses, to being part of a multinational group of companies, which operate in multiple geographies. No matter where they are headquartered, they need to be aware of the applicable privacy regulations and requirements which affect the business.
According to Thilen Pillay, regional divisional director at audit, tax and consulting firm, RSM:
“The disparities in data protection legislation on the African continent already prove challenging to multinational organisations with an African presence, and when you add on the requirements of the EU’s GDPR [General Data Protection Regulation] these challenges can seem quite overwhelming. So then, how is a multinational organisation able to achieve optimal compliance? The answer is the adoption of a higher data protection standard. If a higher standard is applied, taking into consideration the particular country’s legislative requirements, compliance efforts could certainly be streamlined.”
While South Africa has its own Protection of Personal Information Act (POPI) coming into effect, the focus of many companies in South Africa has been on GDPR compliance due to its onerous requirements.
“Organisations have significantly underestimated the level of time and effort which is required for GDPR compliance. Companies such as non-profit organisations who receive international aid funding, as well as those, which serve as outsourced service providers to EU organisations, have invested time and money behind creating data mapping and GDPR readiness assessment templates. However, the reality of the time, tools and investment required to solve the gaps identified from readiness assessments have been grossly underestimated in the road to compliance. Organisations have only recently started to send out GDPR self-assessment questionnaires to their outsourced service providers, such as payroll processors, the responses to which have indicated that the outsourced organisations which they utilise are not GDPR ready in terms of their requirements as processors – which as a result has an adverse effect on the organisation’s ability to comply as controllers,” explains Thilen.
The pressure is not coming from the regulators alone. “When looking at new customers, supply chain partners or potential new investors such as those in private equity, those stakeholders do not want to engage with companies that do not take privacy seriously. They want to do business with companies that prove they have measures in place to secure personal data.”
For all these reasons, companies do not simply want to be compliant with a single standard, but rather with a comprehensive data protection standard, which can be used to address their compliance requirements in multiple jurisdictions. “In order to show that you are compliant with privacy regulation such as the GDPR, there are industry standard certifications which can be considered such as, the EU-US Privacy shield and SOC 2.”
RSM’s approach is to assist clients to achieve privacy compliance and maturity.
“We adopt a risk-based approach. We carry out data mapping, risk workshops and interviews, and perform a privacy gap analysis for them, to highlight where their issues are and prepare a concise report focusing on key findings as well as recommendations reflected in a roadmap to compliance. Achieving privacy maturity is not a quick-and-easy band-aid fix. It takes a lot of time, with changes to business processes, and requires buy-in from the C-suite to recognise that privacy is actually a key risk to the organisation.”
Once the privacy culture is adopted at the top, Thilen says, it filters down throughout the organisation.
To learn more about global privacy compliance standards, you can catch Thilen at the Finance Indaba on 16 October at the Sandton Convention Centre.