Are you ready?
The new Data Protection Act is operational and has been proclaimed since 15th January 2018.
It’s here. It’s compulsory. And there is a criminal offence for directors if companies do not comply, and there is a risk of the European Union slapping a Mauritius company with 2% Global Revenue or EUR 20 million fine!! This must hurt!
The New Data Protection Act 2017 is live and active since 15th January 2018. Most international companies with branches or subsidiaries in Mauritius must already have been working on compliance for a while, but what about the rest of us? Well, we’re late.
Everyone was focused on the General Data Protection Regulation (GDPR) which is a new directive of the European Union becomes law in Europe on 25th May 2018, and also affects companies which deal with European personal data in Mauritius. But our new law is already here. And the obligations on companies to comply too.
In short – Mauritian companies have a positive duty to:
- Create and have policies and processes to comply with the law
- Be able to demonstrate compliance with the law at any time. This include having polices and mechanisms to boot.
Failing this, the criminal sanctions would apply, and you would not want your very prestigious Board of directors to be handing out at the police station now would you.
So, we take a deep breath and start an implementation plan.
Step 1 – Define your project
Your project would be to make sure that:
- your company is compliant with the new Data Protection provisions and those of the GDPR (if you deal with EU personal data)
- you can show compliance at any time
- you have the appropriate data security, policy and processes in place
- you have done the right training
- you understand the risk of non-compliance and are monitoring on an ongoing basis
- You have done your data protection impact assessments (DPIA)
Step 2 – Get buy in and constitute your team
Your bosses or Board will want to know:
Why do you need to do it – well its compulsory and if we do not, it’s the risk of criminal sanction for the same bosses;
What does it cost: – Estimate your internal time as well as quotes from external advisors etc.
When does it need to be done by – for those who have not done it yet, you’re late and in breach. A gap analysis would be able to tell you how much you need to do, so that you can plan the dates. (before the 25th May 2018 GDPR launch would be a safe suggestion if not quicker).
Once you get senior management – get the team up and running –
A project manager, HR, IT, your external or internal legal team, and for larger companies, possibly, procurement, training officers, and technical lead.
You will need to source from each department to have a contact in charge.
Step 3 – implement!
From there on – consider getting through the following phases in the project:
- Awareness and training program – get them trained and aware of the requirements.
- Personal data mapping so that you understand, what personal data you have, how it is processed and why. You will possibly want to use this opportunity to clean up and have a gap analysis of where you are as compared to where you want to be, and then start the change.
- Get Policies and processes in place – (create the adequacy)
- Get the data subject request procedures in place
- Review contracts for DP compliance
- Learn and implement DPIA (Data Protection Impact Assessment) processes
- Get your international transfer compliance in place
- Get your breach notification in place
- Get it done quick!