On 25 May 2018, a new set of privacy rules formed by the European Union (“EU”) will take effect. The General Data Protection Regulation (“GDPR”) seeks to replace the Data Protection Directive 95/46/EC.

Organisations – including many African ones – will need to make changes to their oversight, technology, processes, and human resources to comply with the GDPR.

The GDPR not only applies to organisations located within the EU, but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. The GDPR will also apply to all companies processing and holding personal data of data subjects residing in the EU, regardless of the company’s location. 

As such, many African organisations will be directly affected by the GDPR and will need to comply. Failure to do so can result in organisations being fined up to 4% of annual global turnover or EUR20-million. Such fines are significant and the time to comply is running out.