Data Protection in Africa Part 1:
What laws apply.
Data protection can be a minefield due to the vast number of regulations that apply and it is important to understand the context and situations that you use personal data for.
- You need to consider what the laws of your Country are. For example, if you are based in South Africa then you will need to comply with the protection of personal information act, which restricts the transfer of personal data outside of the country. Whereas if you are based in Angola, then you will need to comply with the Data Protection law, which established Agência de Proteção de Dados as the authority over data protection and organisations must obtain authorisation from them in order to process personal data.
- You will need to comply with African Union (AU) regulations, which apply to all member countries (that have ratified the relevant convention). For example, the AU Convention on Cyber-security and Data Protection prohibits the use of sensitive data (race, religion, health, sexuality, etc.) unless certain conditions are met. However, whilst there are currently 55 member countries as of May 2019, only 18 countries have signed/ratified the convention.
- You should consider what industry you are in, as there may be additional Country and AU laws and regulations that apply. For example, if you take card payments then you may need to comply with PCI DSS, which requires you to manage your networks to isolate and separate some types of traffic.
- You will need to consider whom the people are that you are dealing with, as other legislation and regulations may apply. For example, if you deal with any organisations based in Europe you will be required to register a representative within a European Country and report data breaches to the authorities within 72 hours.
….To be continued in Part 2
If you want to speak to one of our experts about any of the content in this article, you can book a free 30 minute no commitment consultation here.