Have you recently been inundated with notifications about data privacy? That’s likely because the deadline for GDPR compliance was on 25th May 2018. And many local companies were getting their ducks in a row. We find out what it’s all about, how it affects South African companies and if it’s too late to act.


GDPR is the European Union’s General Data Protection Regulation. This piece of legislation mandates that any organisation processing EU citizen’s data must put a privacy policy in place to ensure data protection. Positioned as one of the most significant changes in data privacy regulation in 20 years local companies should take this seriously.

How does GDPR affect S.A. companies?

  • If you have a South African customer that can transact on your site while holidaying in an EU country, then you need to be GDPR compliant.
  • Even if you think you don’t have any customers in the EU, you can’t be certain, so you’re better off being compliant than not.
  • The legislation applies to any companies that have employees in the EU, sell or market products or services in the EU, or partner with EU organizations.
  • If you are not compliant your company will be reported and requested to comply. Failing that you will be liable for a hefty fine as much 20-million Euro (R292-million) or four percent of your company’s annual turnover.

Worldwide Worx M.D. Arthur Goldstuck says that it is not only important but essential, that South African companies have a global view on data protection. “Something as simple as having a website hosted on an international platform can make a company liable to sanction under GDPR.”

data protection GDPR

How to make your website GDPR compliant:

1) Create a ‘cookie’ banner for your website which ensures that visitors are aware that your site uses cookies.
2) Create a ‘Privacy of Data’ Policy that lives on your website

How to ensure your communications comply with GDPR:

You need consent from any recipient who receives marketing communications from your company.
Consent here means having an explicit record of the person agreeing to receive messages from you (i.e. opt-in not opt-out) and to be able to show when and how they gave their consent and what they agreed to receive.

There are 2 options here:
1) Contact everyone on your marketing databases and get their explicit consent
2) Remove everyone for whom you do not have recorded, explicit consent.

In both instances, there is a high probability that your email database will significantly decline in the process. However, any losses you may suffer here will impact you a lot less if you fail to GDPR compliant. And you can look at it as an opportunity to build a compliant database of customers committed to opting in with a genuine interest in your company.

data protection GDPR


Creative Imagineering recently wrote an article on the local version of data privacy protection, called the POPI Act. So fortunately for SA, many companies will already be familiar – some even largely compliant – with what is expected of them in terms of data protection.

The purpose of SA’s POPI Act is to protect people from harm by protecting their personal information. To stop their money being stolen, to stop their identity from being stolen, and generally to protect their privacy, which is a fundamental human right.  Although – unlike the GDPR – it is still not known when POPI will come into effect, what is known is that companies will have a one-year transitional phase in which to comply once POPI’s implementation date is made public.

data protection GDPR

Technology will be key

Software systems that offer automation, content management, enterprise resource planning and accounting, among others, will become a lifeline for many companies in their quest to comply. Consumer data is a highly valued commodity and needs to be treated as such.

The #girlgeeks at Creative Imagineering can take the hassle out of GDPR and POPI compliance.  Email us to find out how.