The General Data Protection Regulation (GDPR) is a comprehensive privacy law enacted by the European Union (EU) that aims to protect the personal data of individuals within the EU. It applies to organizations that handle data of EU residents, regardless of where the organization is located. The GDPR establishes principles for lawful and transparent data processing, outlines the rights of individuals regarding their data, and sets out rules for data security and breach notifications.
The EU general data protection regulation (GDPR) governs how the personal data of individuals in the EU may be processed and transferred.
On this page
The EU general data protection regulation (GDPR) is the strongest privacy and security law in the world.
This regulation updated and modernised the principles of the 1995 data protection directive. It was adopted in 2016 and entered into application on 25 May 2018.
The GDPR defines:
The GDPR lists the rights of the data subject, meaning the rights of the individuals whose personal data is being processed. These strengthened rights give individuals more control over their personal data, including through:
The regulation also lays down the obligation for controllers (those who are responsible for the processing of data) to provide transparent and easily accessible information to individuals on the processing of their data.
Data protection regulation (infographic)
Data protection regulation (infographic)
The GDPR establishes the general obligations of data controllers and of those processing personal data on their behalf (processors).
These include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform.
Controllers are also required in certain cases to provide notification of personal data breaches. All public authorities and those companies that perform certain risky data processing operations will also need to appoint a data protection officer.
The regulation confirms the existing obligation for member states to establish an independent supervisory authority at national level and establishes a mechanism to create consistency in the application of data protection law across the EU.
The GDPR establishes that a single supervisory decision is taken in cross-border cases where several national supervisory authorities are involved. This principle, known as the ‘one-stop-shop’ principle, means that a company with subsidiaries in several member states will only have to deal with the data protection authority in the member state of its main establishment.
The European Data Protection Board makes sure that the GDPR is fully applied. This board consists of representatives of all 27 independent supervisory authorities.
On 13 June 2024, the Council reached an agreement on a common member states’ position on a new law which will improve cooperation between national data protection authorities when they enforce the General Data Protection Regulation (GDPR).
The GDPR requires national data protection authorities, which are responsible for enforcing the GDPR, to cooperate when a data protection case concerns cross-border processing. This is the case for instance when the complainant resides in a different member state than the company under investigation.
It aims to ensure the:
Individuals can lodge a complaint with a supervisory authority and have the right to judicial remedy and compensation. They have the right to have a decision by their data protection authority reviewed by their national court, irrespective of the member state in which the data controller concerned is established.
Severe sanctions are provided for against controllers or processors who violate data protection rules. Data controllers can face fines of up to €20 million or 4% of their global annual turnover.
The GDPR also covers the transfer of personal data to non-EU countries and international organisations. The European Commission is in charge of assessing the level of protection given by a territory or processing sector in a non-EU country.
Where the Commission has not taken an adequacy decision on a territory or sector, transfer of personal data may still take place in particular cases or when there are appropriate safeguards in place.
Here's a more detailed breakdown:
Key Principles of GDPR:
Key Rights of Individuals (Data Subjects):
Who does GDPR apply to?
Consequences of non-compliance:
What are the similarities and differences between GDPR and the data protection regulations enacted in African countries? We look at the situation in Kenya, Nigeria and South Africa.
Data doesn’t stop at national borders. It’s a global concern, which makes it crucial for businesses operating in diverse markets to understand regional data protection laws. In Africa, several countries have enacted their own legislation to safeguard personal data.
In this post, we explore data protection law in Nigeria, South Africa and Kenya, consider what data protection DNA they share with the EU’s General Data Protection Regulation (GDPR), and where they differ.
South Africa’s Protection of Personal Information Act (POPIA) 2013
Objective:
POPIA regulates the processing of personal information in South Africa, emphasising transparency, consent, and the secure handling of data.
GDPR Consistency:
POPIA aligns closely with GDPR principles, including data subject rights, data minimization, and accountability, but not everything is consistent. Amongst the differences are the following:
◦ NDPR does not consider pseudonymised data (that is, processing of data which makes identification of the individual to whom it belongs impossible without additional, separate information). GDPR does.
◦ The requirement for consent in the processing of children’s personal data is required for all under-18s in South Africa. This only extends to under-16s (and in some cases, under-13s) with the GDPR.
◦ Although both pieces of legislation impose a responsibility on controllers to carry out impact assessments to ensure standards are imposed and maintained, the POPIA doesn’t go into specifics as to how to conduct that review. GDPR does.
◦ Unlike GDPR, POPIA contains no right to data portability.
Nigeria’s Data Protection Regulation (NDPR) 2019
Objective:
The NDPR provides a legal framework for the protection of personal data in Nigeria, and places the emphasis on consent, data subject rights, and data security measures.
GDPR Consistency:
NDPR shares numerous similarities with GDPR, particularly in areas like data subject rights, purpose limitation, and accountability. Differences include:
◦ NDPR does not consider pseudonymised data. GDPR does.
◦ NDPR places no obligation on data processors to maintain records or processing activities. GDPR does.
◦ In the event of a data breach, GDPR requires data controllers to notify the relevant authorities. NDPR carries no such requirement (although it does impose numerous other measures).
Kenya’s Data Protection Act (DPA) 2019
Objective:
DPA seeks to regulate the processing of personal data in Kenya, focusing on consent, purpose limitation, and data subject rights.
GDPR Consistency:
Kenya’s DPA exhibits parallels with GDPR, especially in terms of consent, data subject rights, and data security measures. There are, however, some distinct differences:
◦ Unlike GDPR (but like Nigeria’s DPR), the DPA does not require data controllers to keep records of their processing activities.
◦ While both pieces of legislation confer the right for data subjects to access their personal information, the DPA doesn’t offer much in the way of explanation about how a data subject might exercise that right.
◦ Both pieces of legislation confer the right to data portability, but the DPA presents the right in (arguably) simpler and broader terms than the GDPR.
◦ Enforcement (see below)
General Differences
Scope:
GDPR has an extraterritorial reach, which means that it applies to organisations worldwide processing the data of EU residents. African data protection laws typically apply within their respective jurisdictions but not beyond it.
Enforcement:
While GDPR imposes substantial fines for non-compliance, enforcement mechanisms in African countries vary, ranging from fines to regulatory sanctions. Kenya’s maximum fine, for example, is 5 million shillings or 1% of annual turnover, but there is also the potential for up to two years’ imprisonment.
Does complying with African data protection laws guarantee compliance with GDPR?
No. Businesses complying with POPIA, NDPR and DPA principles will inevitably find it easier to align with GDPR requirements (you can find a complete guide to the General Data Protection Regulation here), because many of the building blocks of compliance will already be in place.
But as the above summary demonstrates, the differences are sufficient enough to ensure that compliance with one standard does not automatically mean compliance with another (whether that’s the GDPR or another African standard).
If you trade across Africa and the EU and process the data of EU and African citizens or residents, you’ll need to understand the intricacies of data protection frameworks in each territory to ensure you remain compliant, protect the data of your customers, and minimise organisational risk.