The European General Data Protection Regulation (GDPR) is due to come into force in May next year. Companies are already doing needful to ensure compliance with this piece of legislation. Mauritius also followed by coming up with a new Data Protection Act. Dr Peter Tobin, a Data Privacy & Compliance Expert, talks about the changes to be expected with the GDPR, and how Mauritian companies are expected to react and act
>> You must have had the opportunity to interact with people from the audience. Would you say that they are worried about the General Data Protection Regulation (GDPR)?
I think that the quality and quantity of the audience demonstrates that GDPR is something that is important, not just for local consideration but for Mauritius International trading position. The prior knowledge of the audience was at already a high level, partly because of the good work done by the local Data Protection Commissioner. Many people today can research international trends themselves via the Internet but it’s impossible to add value via a web search. So coming to this type of workshop for a lot of people would help them to clarify some of their pre-conceptions, some of their ideas and yet, at the same time it’s an opportunity to network with their peers as to what is going to best suit them.
>> What does the GDPR fundamentally change for Mauritius?
The GDPR has had a big influence on the renewal of Data Protection Act. As we heard from the Data Protection Commissioner this morning (Ndlr: Wednesday 13th of December), your Act was first passed back in the year 2004, and came into force in 2009. In the fast moving world in which we live, five or 10 years is now a long time to be behind the curve in terms of legislation. The European Union passed the GDPR in 2016 with a two-year window for compliance by 2018. Your Mauritius Commissioner, this morning, indicated that your new Act – to align with the GDPR – was passed just a few days ago and is intended to come into full force in time for alignment with GDPR in May. This makes it both urgent and important.
>> Do you think we will indeed be ready by May 2018, the month the GDPR will come into force?
I think many organizations are going to have a challenge if they had done nothing about the existing Mauritius legislation. The international dimension now makes it even more important for organizations to prepare themselves. There will be challenges; there is no doubt. But to demonstrate that you have taken the first steps is going to be a good contribution to making compliance happen at some point in the future. The sooner the better.
>> What about the cost factor related to the implementation of the GDPR by companies, be it local or international?
There are two elements to consider about the cost. One is the cost of achieving compliance. There is no doubt that organizations are going to have to look to a mix of internal and external resources. Whenever there is something new like the new legislation, it is very difficult to tackle that with only internal resources that have no experience in the area…
The other cost, in terms of GDPR, is the cost of non-compliance. It is not related to the fines and penalties that may be raised by the Commissioner, but it is the cost of potential loss of business opportunities because other organizations who are moving faster towards compliance, not just in Mauritius but around the world, are going to prove to be more effective competitors. If Mauritius wants to grow the industries which are important, namely the financial services, outsourcing, tourism; so many of those depend on international trade links and the GDPR is setting the term for what’s happening around the world. It’s not just what Europe is doing; but what the world is doing. And the Mauritian economic community is very much now a global one.
>> So, the GDPR will affect all economic sectors of Mauritius, or only those companies dealing with European residents?
So, we tackled two issues this morning. Number one, you have a new local legislation which has been enacted. The Commissioner confirmed the new Data Protection Act 2017 which will come into force in 2018. That applies to all Mauritian-based companies. The European Union legislation applies to any Mauritian company which is providing products or services in Europe, for example tourism, financial services, maybe healthcare services through a Mauritian-based company that must then demonstrate that the personal data of European residents is being managed to the European standards.
In other words, companies based in Mauritius which are servicing European clients must demonstrate their compliance. So, some people in the realms of Mauritius companies are faced with the challenge of complying with two new pieces of legislation in the next few months.
>> That’s a lot for one company…
It may seem to be… Fortunately, your Data Protection Commissioner has been very clever. They made it very close together; so in tackling one you are a long way to tackling the other.
>> So it will be kind of automatic?
The gradual is the problem because we have a short window. But it is very important for the Mauritian economy to ensure that there is every indication so that international partners can have confidence that you have been and continue to be a leader in Indian Ocean African States. We heard this morning from the Commissioner that the ratification of the Convention 108 of the International Data Privacy Standards is an indication of leadership demonstrated by the Mauritian Government.
>> What about Data Controllers and Processors? Does the GDPR add more burden to their responsibilities?
Yes, there are new definitions as to the rights and responsibilities of data subjects, controllers and processors in the whole information life cycle. It’s quite clear that the European approach is to hold equally accountable the controller, which is the one processing the information, and the processor who is providing a service to the controller. Those two parties can both be held liable for non-compliance in terms of the processing of data.
This is a significant change from the previous legislation where only the controller was held accountable. This says that there must be a review of relationships, revisions to contractual terms between contracting parties and the data subjects should expect to have their rights respected by now both data controllers and processors.
>> They are the ones on the hot seat now?
Yes, in terms of being under the focus. What we are going to find is a lot more, if you can call it so, a stakeholder activism, that is people who are getting fed up with receiving unsolicited emails, SMS, being bombarded with marketing materials. They want their rights to be more respected and that’s one of the reasons why the new legislation is being introduced.