GDPR which goes in effect today and businesses collecting, manipulating or transferring any kind of personal data from EU citizens or on EU soil will be legally required to implement certain changes that allow users of the services/platforms greater control over their personal data.
The General Data Protection Regulation (GDPR) is today’s version of 1995’s Data Protection Directive, which was adopted in the early days of the Internet. The point of this regulation is “…to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy,” in other words: giving data owners better control over their data. GDPR requires businesses that are collecting/storing any kind of personal data of EU citizens, or with any kind of personal data operations on EU soil, to:
- Explain/justify why they are storing user’s personal information when asking for it.
- Explain what they’ll use the data they collect for.
- Document the user giving them consent to store their data.
- Provide all stored information (including in-house iterations) on a user, should the user ask for it, in an accessible/standard format.
- Delete all information (including backups) they have on a user, if the user requests they do so, within thirty days.
What do African startups need to know about GDPR?
Technically, GDPR does not apply directly to African startups. However, it requires any data sourced from EU citizens to comply with its rules which means businesses who store that information (even if they are stored in the EU) will still be subject to GDPR regulations.
That in itself is not necessarily a problem except at the point of online customer acquisition, it’s almost impossible to determine citizenship, which dramatically increases the potential to flout the GDPR rules.
What are the potential consequences for breaking GDPR rules?
Penalties under the GDPR regulations are tiered and vary depending on the gravity of an offence topping off at 4% of annual global turnover or €20 million, whichever is more.
What should African Startups do?
Play it safe and comply. If your business serves a lot of European customers then it’s a no brainer – you definitely have to comply.
The GDPR regulation is quite progressive too and has the potential to become a global standard (thanks to its cross continental effect) so compliance will be beneficial in the long term and could offer a competitive advantage.