Back to Home


Person using laptop with memory stick

What’s the hype around GDPR?

Many South African businesses have now heard of the Protection of Personal Information Act (POPI), and some have begun updating their policies to prepare for their new data processing responsibilities in terms of the act.

But, in the face of the incorporation of this new South African law, many will miss their compliance objective if they are not aware that European Union (EU) protection laws – the General Data Protection Regulation (GDPR) – may also apply to their operations.

Who does it apply to?

If a South African entity processes the personal information of an EU resident (regardless of the EU citizen’s physical location at the time), it must adhere to the EU laws on data protection (in addition to POPI). In particular, it will need to implement and adhere to GDPR, as of May 2018. So it’s time to act quick!

What the GDPR does is it sets out the rights and duties both for the party responsible for the data’s handling and direction (called the Data Controller) as well as for any of the third parties who have been contracted to processes people’s personal information (called the Processor). So if your business is involved in any of these processes, you need to be aware of GDPR.

What happens if you do NOT comply?

Fines for non-compliance can be massive. They’re administered by individual EU member state supervisory authorities on GDPR and these bodies use a range of factors to determine the fines, which can be up to €20 million or 4% of the worldwide annual revenue of the company’s prior financial year, whichever is higher. It’s no joke.

How best to comply:

If your company’s operations trigger your role as a Data Controller or Processor, you will need to ensure that your company has a comprehensive Data Protection and Personal Information Policy to not only provide all the GDPR’s mandatory information, but to also ensure that you are correctly implementing the data rights as per the requirements for your role in the processing chain.

Further, if you are a service provider that processes the information of data subjects, it is essential that data processing roles and duties are comprehensively detailed in any Service Level Agreements (SLAs) that you may have in place with your clients.

How can Legalese assist?

Not only can Legalese draft both the comprehensive data polices and SLAs for your company (or review and update an existing one which you may already have), but we can also provide practical advice on which of your company’s functions may also trigger the application of GDPR (such as click-wrap consents, opt-in/opt-out tools and hyperlink provisions).

Get in touch with us to discover how we can make GDPR compliance smooth and simple for you and your company on

Contact Us

  • This field is for validation purposes and should be left unchanged.
190A Buitengracht St
Bo Kaap
Cape Town