From May 25 (tomorrow), GDPR will officially go into effect and businesses collecting, manipulating or transferring any kind of personal data from EU citizens or on EU soil will be legally required to implement certain changes that allow users of the services/platforms greater control over their personal data.
What is GDPR?
The General Data Protection Regulation (GDPR) is today’s version of 1995’s Data Protection Directive, which was adopted in the early days of the Internet. The point of this regulation is “…to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy,” in other words: giving data owners better control over their data. GDPR requires businesses that are collecting/storing any kind of personal data of EU citizens, or with any kind of personal data operations on EU soil, to:
- Explain/justify why they are storing user’s personal information when asking for it.
- Explain what they’ll use the data they collect for.
- Document the user giving them consent to store their data.
- Provide all stored information (including in-house iterations) on a user, should the user ask for it, in an accessible/standard format.
- Delete all information (including backups) they have on a user, if the user requests they do so, within thirty days.
What do African startups need to know about GDPR?
Technically, GDPR does not apply directly to African startups. However, it requires any data sourced from EU citizens to comply with its rules which means businesses who store that information (even if they are stored in the EU) will still be subject to GDPR regulations.
That in itself is not necessarily a problem except at the point of online customer acquisition, it’s almost impossible to determine citizenship, which dramatically increases the potential to flout the GDPR rules.
For example, if you’re an African remittance startup, and you want to acquire a Paris-based French-Nigerian woman who wants to send money home, then you will have to a) explain how her personal data (which you will collect to facilitate this acquisition) will be used and b) ask her for permission to use that data in any way at all, if you don’t want to break the rules.
What are the potential consequences for breaking GDPR rules?
Penalties under the GDPR regulations are tiered and vary depending on the gravity of an offence topping off at 4% of annual global turnover or €20 million, whichever is more.
What should African Startups do?
Play it safe and comply. If your business serves a lot of European customers then it’s a no brainer – you definitely have to comply.
The GDPR regulation is quite progressive too and has the potential to become a global standard (thanks to its cross continental effect) so compliance will be beneficial in the long term and could offer a competitive advantage.
Note: GDPR became official in 2016 and the past two years have been to allow businesses and larger companies enough time to right their ship. You’re only hearing all the noise now because deadline day is close.