A practitioner’s perspective on the new Data Protection Act
The Data Protection Act
With the coming into force of the General Data Protection Regulation (‘GDPR’) in the European Union (‘EU’) in May 2018, the repeal of the existing laws and enactment of a new Data Protection Act (‘DPA’) in Mauritius was much anticipated.
The DPA has adopted a very similar framework to the GDPR and this will certainly allow for more trust in the Mauritius jurisdiction from EU businesses and data subjects. The benefits also include less hassle for outsourcing, tourism and financial industry service providers to show compliance to what could have been two very different rules.
From a practitioner’s perspective, the new law provides certainty as to the direction our legislators want the country to go. For those organisations dealing with EU data subjects, it allows them to continue putting into place appropriate frameworks to comply with the GDPR by May 2018 while also be in line with the requirements of the DPA.
DPA - What is in store
The most recent surveys on the implementation of the GDPR in the EU show that most organisations are not ready or fully compliant with the quite onerous and extensive requirements of the GDPR.
For Mauritius, we should therefore bear in mind that implementation and compliance to the requirements of the DPA will not be without its pain especially if the previous version of the DPA had not been well implemented in an organisation.
The main changes
It is quite possible that the new DPA, as it happened with the old DPA, will mean drastic changes to the way we deal with data on individuals. The main changes can be summarised as follows:
In addition to the controller, data protection obligations rest on the processor as well.
Technological changes have meant that online identifiers will now be included as personal data e.g. an IP address, a cookie, location information or even a screen name.
The corollary is that information security becomes crucial and more so data governance.
Anonymisation, encryption and pseudonymisation will generally require investment in IT systems while data flows may need to have a route through the data protection officer or the compliance/risk teams.
Importantly, following a number of high profile cases in the EU, the consent regime has changed to a clear statement or affirmative action and must be specific, informed and unambiguous.
The requirement to have a Data Privacy Impact Assessment makes it a crucial exercise for all organisations.
There are various new rules on transfer of information abroad and consent for processing data relating to a child.
The rights of data subjects have also increased in terms of easier access to data held on them, being informed, being forgotten, erasure, restricting processing and automated decision-making, etc.
Portability of information is a requisite and should be readily available to data subjects upon request
When do I need to start working on the DPA
It is paramount, however, that organisations, especially those already processing or in control of information on EU data subject’s, start working now on compliance and follow best practices. Complying with the GDPR and the new DPA will more likely bring more trust in your organisation and is a win-win situation for all stakeholders.
Try our free self-assessment questionnaire
With a view to helping organisations understand their needs we have devised a Self-Assessment Questionnaire (SAQ) to help you do a desk-review of where you stand. You can access the SAQ through Google forms by using the following link.
The self-assessment questionnaire is free and we will send your detailed submission by email. However it is important to note that the self-assessment does not replace the Data Protection Impact Assessment which is required under the new DPA.
You may contact us for more information on our Data Protection Impact Assessment tool and services on ceo@forwardriskmanagement.com
Our team comprises of experienced information security, legal and data protection professionals who would be very willing to provide very practical solutions to your needs around training (either class based or e-learning) and additional support to your organisation.