GDPR and startups: Will the new data protection act limit your ability to grow and trade?

For African businesses – large or small – looking to do business with the European Union, non-compliance could mean non-business.

The protection of data has been the subject of thousands of conversations globally. As more and more businesses digitally transform, how they handle and analyse data is coming under more intense scrutiny.  With the force of cybercrime growing by the day, businesses and governments are placing data protection and privacy at the top of their priority list – in an effort to avoid financial loss and maintain steady productivity.

The introduction of the General Data Protection Regulation (GDPR), which takes effect on 25 May 2018, is set to take on a more ambitious approach to data protection.

Although GDPR is designed to strengthen data protection within the European Union (EU), African businesses – and startups – are not entirely ruled out. Be careful of falling into the trap of assuming the regulation does not apply to you.

If GDPR does apply to you, using a cloud service can help you become compliant quickly and easily, minimising the time and resources you would need.

What is GDPR – and who does it apply to?

GDPR is a new regulation that will provide individuals in the EU with greater control over their personal information. It will introduce tighter rules on organisations that handle, collect or analyse personal data, be it a contact number, photo or computer IP address. National regulators will also have increased authority to impose substantial consequences on organisations who do not comply.

The reason why African businesses need to take notice is because the regulation also addresses the export of personal data outside of the EU.

Simply put, if you do – or ever plan to do – business with or process the data of any individual living in the EU, GDPR applies to you, irrespective of your size or where you are.

Why should startups be concerned about GDPR?

Microsoft 4Afrika believes in taking local innovation to the world – empowering startups with the skills, resources and technology to scale beyond our borders. As we bring more entrepreneurs, businesses and developers online and into the cloud, they have the opportunity to market their products, apps and solutions internationally.

However, as countries impose tighter regulations on data protection, startups who do not comply will be limited in their ability to scale and operate internationally – or even secure overseas investment. Without adequate security practices in place, startups will be seen by European countries as a high risk from a data protection perspective, and they won’t do business with you.

Not complying with GDPR will limit your ability to have employees in the EU, sell or market your products online or offline in the EU, partner with an EU organisation; or receive funding from an EU-based investor.

GDPR is also set to become the standard benchmark for data protection. Even if you aren’t affected by this specific regulation today, you could be affected by a new one tomorrow, as countries continue to ramp up their own data protection laws.

Countries like South Africa, for example, have signed the Protection of Personal Information Act (POPI) into law. Similar to GDPR, businesses and governments will be lawfully responsible for collecting, storing and using personal information. For businesses with ties to the EU, they will need to comply with both POPI and GDPR, or risk facing hefty fines.

The best option for startups who hope to succeed in today’s digital age is to start introducing robust data protection practices now.

Making sense of what is expected

There are five best practices that GDPR will expect organisations to adhere to:

  • Organisations will not be able to re-use or disclose personal information for purposes that do not link back to its original intended purpose. Organisations are required to be transparent with individuals about how their data will be used, under a lawful basis.
  • Organisations will be required to take steps ensuring that personal information is kept secure and backed up through organisational and technical security measures.
  • Data must only be kept for as long as it is needed – restricting the storage of personal information.
  • Personal data will need to be accurate. In cases where it is not, corrections must be made. Individuals will have the right to update any of their personal information that is incorrect.
  • The collection and storage of any data must be kept minimal, collecting only what is adequate and relevant for the intended purpose.

Becoming compliant through the cloud

Becoming GDPR compliant – or even implementing similar security measures of your own – doesn’t have to be a difficult process.

Nearly a decade ago, Microsoft established its Trusted Cloud Principles to guide Microsoft Cloud technology. Through sophisticated, built-in controls, Microsoft is able to expedite and assist organisations in becoming GDPR compliant.

By May 25 2018, when businesses use the Microsoft Cloud to process data – be it Office 365, Dynamics 365 Windows 10 or Azure – they will be using services already compliant with the highest standards in data protection. Startups working with 4Afrika will receive access to these cloud-based services, automatically giving them ‘built-in’ compliance.

If businesses are to remain relevant in today’s market, digital transformation coupled with data protection must exist at the heart of their business models. Cloud services are proving to be revolutionary for businesses aiming to digitally transform their operating systems. With the launch of Microsoft’s two local data centres in South Africa, organisations will have more easy, trusted and affordable access to the cloud than ever before.

While businesses don’t require cloud to be GDPR compliant, using Microsoft Cloud services that are tailored to organisational needs will help you to become automatically compliant. This saves you on cost, infrastructure and time, allowing you to focus on what matters most – meeting your bottom-line objectives.