Legal Trends

Marketing & Media trends

Retail trends

More Articles

Subscribe to industry newsletters

#BizTrends2018: 'Privacy by Design' - Africa's best chance for global data protection compliance

The European Union's General Data Protection Regulation (GDPR), which will be implemented on 25 May 2018, is raising the bar for data protection globally, and setting a new gold standard in a digitally transforming world.
© Oleksandr Omelchenko –
While policymakers and legal systems attempt to get to grips with the imminent changing landscape of data protection laws across the globe, there is much that business can and should do in the meantime to get itself ready.

African businesses may find themselves squarely within the GDPR's wide territorial reach if they have a presence in the EU, or offer goods and services or monitor individuals in the EU. Moreover, transfers of personal information outside of the EU will only be permitted subject to strict requirements. The GDPR therefore brings data protection laws around the world into sharp focus, and Africa is no exception.

Alexia Christie
In Africa, data protection laws are largely in a state of flux, and many African nations are a long way from meeting any 'adequacy' requirement. If Africa wants to participate in the global market come 2018, it will have to move quickly. On the African continent, we are likely to see a proliferation of data protection legislation, much of which may seek to align with the requirements of the GDPR. It makes business sense to achieve an 'adequate level' of data protection as this will facilitate the free flow of data into and out of the EU, and may serve as a competitive advantage for business in Africa. However, relying solely on law and policy makers may be too little, too late for business. What then can African businesses do in the interim, whilst law-makers and regulators get their affairs in order? The answer may lie with an often-overlooked principle espoused in the GDPR: Privacy by Design.

Privacy by Design and the related principle of Privacy by Default are embodied in Article 25 of the GDPR. Privacy must be integral to the organisational priorities, design processes and planning operations of every business. Practically, this means that privacy must be considered at every organisational level, from buy-in at board level, to development and implementation of systems and processes. It means that business should build systems and technologies with data protection at the core. This will ensure that the right systems are built from the outset, and will avoid the costly and time-consuming exercise of remedying mistakes.

Practical next steps for business in Africa

Rubeena Parker
Drawing on the key principles of Privacy by Design as articulated by the former Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, we anticipate some steps shrewd African businesses might take towards getting GDPR-ready:
  • be pro-active, and develop a culture of "continuous improvement";
  • use privacy as the default setting;
  • embed privacy into the design and architecture of all systems;
  • balance privacy and security: do not sacrifice functionality at the altar of data protection;
  • ensure "cradle to the grave" protection: protect data across its entire life-cycle, from collection to destruction;
  • keep systems and practices visible and transparent; and
  • maintain focus on the user and the need to respect user privacy.
Visible commitment to the principle of Privacy by Design will show that your business is working towards full compliance with the GDPR, and may create a competitive advantage. This may be more effective and more expedient than waiting for 'adequate' legislation to do the work alone.
Get a daily news update via WhatsApp or sign up to our newsletters.

About the author

Alexia Christie is a partner and Rubeena Parker Rubeena Parker, an associate, in the Technology, Media, Telecommunications & Intellectual Property Practice at Webber Wentzel.