The new legislation is coming into force at the end of May. While some companies may have a head start by being compliant or semi-compliant, others are not yet able to assess whether they already are compliant or not. Others are not able to grasp if they will be affected. Sabrina Sonaram, Associate Director of Baker Tilly Mauritius is of view that not everyone is ready for the European law, the General Data Protection Regulation (GDPR) which also translated into changes brought to our Data Protection Act 2004
The General Data Protection Regulation (GDPR), a European law, will come into force next month. Can you please tell us why Europe came up with such a law?
In terms of the General Data Protection Regulation (GDPR), the reasoning for the European Commission to come up with the law is that there has been a drastic change in data protection over the last 20 years. Legally, the European Union (EU) has recognized that there has been an increasing need to legislate and to provide awareness not just for EU countries, but countries outside the EU.
In your opinion, how will this law affect Mauritius? Who will be affected here?
Effectively, it affects everybody, all organizations that deal with personal data. Before we consider the impact of the GDPR in Mauritius, let’s consider what this new law is about. As said, it comes into force at the end of May. It’s a big piece of legislation. It has 173 introductory clauses, 11 chapters and 99 articles! So, it’s pretty heavy and intensive. It provides a significant upgrade to the existing data protection regulations and presents the most important change in data privacy.
The data protection laws have evolved as the Data Protection Act 2004 was aligned with the EU GDPR and as a result a new data protection legislation, namely the Data Protection Act 2017 came into force in Mauritius on the 15 January 2018. The 2017 Act, and the regulations, set out more explicit duties for organizations that use personal data in terms of consent, profiling, data protection officers as well as the right to access together with the right to be forgotten.
Essentially, organizations in Mauritius need to show awareness of the GDPR and the impact will depend on the nature of the personal data held by the organization. That really depends on whether the organization is data-centric or not, or partially data-centric. There are now legal grounds for organizations to hold data. If they already have policies and procedures, that’s a great starting point. It means they are already semi-compliant. As the regulation places an onus on the organization to comply, many organizations in Mauritius will have to consider data protection for the first time.
The areas of focus that we have to consider are the financial services because they are very data-centric, as well as the educational and health sectors. For us, the sector of financial services is very important.
According to you, are local companies well aware of this new legislation, the changes it will bring about and what they need to implement in terms of structure in order to be compliant?
I think local companies know that the law has changed, but they do not fully understand how it’s going to affect them. The starting point that we would advise any organization in Mauritius is to ensure that all key people and decision makers within the organizations are aware that the law has changed.
Once they are aware of this, they then can start looking at the impact on their local organization. Some companies may have a head start, they may have a data protection policy programme or a procedure, and they may consider privacy as an inherent part of their structure, their framework. But I think, what is important, is that GDPR provides a perfect opportunity for companies in Mauritius to look at their framework, at how they manage personal data, and we can consider various factors when putting a data protection structure. For instance, has the company registered with the Data Protection Office? Have they identified who is the data processor or who is the controller? Are companies aware of any respective data protection responsibilities that they have? How does the company identify its working practices, how data flows in? Is there any formal training, any policy or procedure? That’s important.
Rather than considering GDPR as an upheaval, a company can comply with the GDPR’s accountability principle when they are able to demonstrate proactivity with the GDPR principles (for example, effective mapping of the information that is being held, procedures and guidance to be made available to staff).
Because the GDPR is so complicated with sections and subsections, 99 articles, Will we be able to fully grasp the implications of this law?
I think in time yes. What’s being critical is the work with Data Protection Office, obviously the Data Protection Commissioner herself. In terms of grasping the key elements of the law, the GDPR, this is being enacted in the Data Protection Act 2017 which came into force in January this year. So I think yes, most of the principles are guiding in there in terms of your consent, right to be forgotten, privacy, laws as well. But when we look at the actual Act itself, companies can’t shy away from the Act and the Act introduces new concepts like the data protection impact assessments which mirrors the GDPR, and also notifying the Data Protection Officer of any data approaches and also notifying the data subjects if there is a data breach. That’s clear in terms of the actual principles under the GDPR.
Are actors on the local scene aware of the changes brought to the Data Protection Act?
Not everyone is ready. I don’t think a lot of companies are ready for the law. I’ll tell you why. Many companies are actually ‘waking up’ to the GDPR. They know that the Act has been enacted but they don’t know what steps or implementation steps they need to do to be compliant. And that’s important. There are three scenarios essentially. The first one is that most companies are not able to readily assess whether they are GDPR compliant or ready or just about to be ready. That’s critical to understanding. The second is that companies are completely unaware that the GDPR principles mirror what’s in the Data Protection Act. And third, we have these wonderful companies which are completely compliant and they don’t need to do anything. They are well step ahead of everyone else. So we need to understand or companies need to understand the state of readiness of the GDPR and under the Data Protection Act, and then they can look at that implementation and how to enforce the GDPR.
The 2017 Act introduces new concepts. With the Data Protection Act 2017, companies will be required to carry out a data protection impact assessment (DPIA) in situations where data processing is likely to result in high risks to the rights and freedoms of individuals. DPIAs are a form of data protection by design as they assist companies identify the most effective way to comply with their data protection obligations and meet the individual’s right to privacy. DPIAs typically comprise a description of the processing operation, whether the processing meets the purpose and the any associated risks to an individual (in relation to criminal offence, large scale systematic monitoring).
Other new concepts include the right to object to automated individual decision-making which includes profiling and data controllers notifying the DPO of data breaches and the data subject.
But are the authorities doing enough to inform the local companies of the changes which have been brought about, or get them ready for these changes?
I think so. We are honored to be working alongside the Data Protection Commissioner and the Office. We are working very closely with them in terms of reaching out to a wide audience, not just people within the financial services but also within the non-financial services, whether you are a small, medium or large firm. The Commissioner and her team have gone through a series of engagements, awareness campaigns through televised events, training, and workshop in order to sensitize the public at large. We, Baker Tilly, are working alongside the Commissioner and her team to help sensitize the people, to assist in compliance, in certification and registration. Another key area which organizations are aware of is that the Data Protection Office, through the law, is able to remedy any infringements when personal data has been mishandled because sometimes obviously data subjects are left hanging in terms of their data to be used or processed, in the way that it is being held. So it promotes fairness and it promotes transparency. Under the Act, the Commissioner has powers to handle complaints namely amicable resolution of disputes.
As from now, is there a necessity for companies to have a Data Protection Officer?
Under the Act, yes there will be. It is considered under the GDPR and under the Data Protection Act 2017 to have a Data Protection Officer is best practice. So the whole idea of the officer is to look at the infrastructure, at how data is mapped, how it’s stored and transferred, how it’s collected and look at the reasoning behind the processing; so you have to have consent from a data subject as well as law for processing as well. You can’t just have one and not the other. So, the Data Protection Officer is going to be a critical element in terms of managing and mitigating the risks for data risks.
What is Baker Tilly Mauritius doing in terms of the new laws?
Well, as I said, we are honored to be working with the Commissioner and her team. We are utilizing the guiding principles under the GDPR and the fact that the GDPR has acceded Convention 108 which relates to the automatic processing of personal data that attracts foreign investments. We’ve looked at a number of issues, a number of areas under the GDPR.
Baker Tilly is an international firm. We’ve worked with the United States and their UK counterparts as well as the EU Commission. We have a direct path with the EU which is a brilliant avenue to have. When we have that as well as a collaboration from the Commissioner and her team, what we are able to see is the sphere not just in Mauritius, but also outside of Mauritius. This promotes the whole essence of transparency and the principles under the GDPR. What we are trying to do by partnering with the Commissioner and her team is to encourage a positive GDPR compliance awareness so we can help all organizations in tailoring briefing sessions that will enable an action plan to be prepared. We can support an organization on the implementation of GDPR principles.
How we do that? We have an assessment that we work with the clients. We can also maintain the GDPR systems and post and pre the 25th of May. Number one, we enable companies to gain an understanding of the GDPR through a formal awareness training. Number two, we mark the personal data that’s currently being held and processed and stored. Number 3, we ensure that the organization has the consent of the individual to control the data. Four, we adopt the principle law for processing because as I said before consent is not the only legal basis for data processing. Number 5, we look at data protection management. We will assist companies in detecting, reporting and investigating personal data breaches.
What makes us different in terms of GDPR compliance? First of all, we are practical in the service offering. We have a GDPR implementation seminar that we will be hosting for the public at the Hennessy Park Hotel on the 15th of May. It’s a full day seminar and the essence there is to provide the organizations with practical implementation steps so they can start thinking about whether they are ready or not. As I said before, some organizations may be data centric, some may not be. So they may put if off till later on in the year or may be next year. With the Data Protection Office, we will be assisting companies with their registration process, with their certification process which is important because a Data Controller or a company cannot be certified or registered with a certification unless they are registered. They have to go through registration first before they are certified.
Finally, and this is important for all organizations in Mauritius, we can advise companies on practicable and actionable steps. If we say that Company X needs to go and do five actions, we will give them a timeframe to do that and we will hold their hand and we will help them with those steps. This is something which merits the spirit of the GDPR as well as the work that has been done under the Data Protection Act. We are very proud of the service.
What does a company risk if it is not compliant with the new laws?
There are various offences and criminal penalties under the Data Protection Act 2017. Where no specific penalty is provided, any person who does not comply or contravenes the 2017 Act, shall on conviction be liable to a fine not exceeding 200,000 rupees and to imprisonment for a term not exceeding 5 years.
The impact of non-compliance to the GDPR is paramount for companies as other than financial penalties which can be imposed, there will be legal implications given that individuals are able to take legal action against either the data controller or data processor or indeed both. Other such material damages which will invariably apply includes reputable damage to the organization, financial loss and potentially discriminatory practices.
We recently had the Facebook and Cambridge Analytica scandal. What do you think of it? Might there be some elements pertaining to Mauritius also?
The Cambridge Analytica case has highlighted the importance of data management given that Facebook is facing international investigations into the illicit harvesting of users’ personal data. The information was collected by Cambridge Analytica, a political consulting firm that backed President Trump’s 2016 election campaign. It is understood that Cambridge Analytica gathered data from 50 million users, then developed a software program that profiled these citizens to predict voting patterns. The ripple effect in Mauritius is one which is being closely looked at. The severity of the Cambridge Analytica scandal will invariably provide a new chapter in defining the risk envelope of all organizations that handle personal data.
A few words on Sabrina Sonaram and Baker Tilly
“I have joined Baker Tilly Mauritius as an Associate Director acting as the Privacy Practice Lead, Head of Compliance and Training.” As a legally qualified solicitor specializing in contentious and non-contentious employment, corporate, contract and property law, Sabrina Sonaram took up the role of heading and managing an advisory team ensuring legal, regulatory and compliance in the private, public and Government sectors in the UK, Europe, Asia Pacific and the Middle East.
“I utilize my expertise to deliver a range of regulatory compliance, training and legal solutions to global clients. I actively deliver a range of courses on financial and regulatory compliance”, she says.
Baker Tilly (Mauritius) has recently undergone a complete transformation with a new management team with a fresh strategic vision and the perspective to service clients in the mid-market looking at quality assurance and excellent service delivery. All the management team has extensive international exposure in the fields of audit, compliance, accounting, advisory and training. Baker Tilly (Mauritius) is a member firm of the Baker Tilly International network which is ranked number 1 in the top mid-market network table in a 2018 report by Global Accounting Insights.
“We understand that the on-demand market is growing and provides ground breaking solutions to our clients. We strive to be a truly customer led business and our strategy is to focus on the success of our clients and our people”, affirms the Associate Director.