In May 2016, the European Union (“EU“) adopted the General Data Protection Regulation (“GDPR“). This regulation introduces a new set of data protection rules that will increase data protection for EU residents and citizens and places more stringent guidelines on the treatment of their personal data.

It is important to note that the GDPR is not applicable only to entities located in the EU. In fact, its scope is so broad that it will apply to any entity around the world that processes personal data of individuals who are residents or citizens of the EU. Because South Africa has a thriving tourism industry with thousands of Europeans coming to its shores each year, this regulation will have a significant impact on many South African businesses. For example, any hotel that records personal data of a guest, who is an EU resident, will have to meet the requirements of the GDPR.

Although most South African businesses engaged in data processing will be aware of the Promotion of Protection of Personal Information Act 4 of 2013 (“POPI“) and its requirements, the GDPR imposes some restrictions on data processing that are not covered by POPI.

Therefore, it is important for any person or business that processes any personal information of EU residents or citizens to undergo, before the May 2018 deadline, a data processing assessment in order to determine whether or not your processing activities will comply with the GDPR.