The European Union’s (EU) General Data Protection Regulation (GDPR) will officially come into force on Friday, 25 May, followed by its local cousin, the POPI Act, in the second or third quarter of the year.

You may be feeling this already. In fact, it's a wonder as to who hasn’t already received a flood of Privacy Policy and Data Protection Policy updates from around the world.

Why should the GDPR matter to South African digital marketers?

The GDPR extends well beyond the borders of the European Union.

The legislation has so-called 'extraterritorial applicability', but it also stops European organisations from sending data to other countries unless they are sure that GDPR equivalent data protection laws are in place.

This has a far-reaching impact on global communication, and the way countries outside of this regulation do business.

If you do not have stringent data management processes in place, and cannot illustrate that you obtained your data with the consent of your audience, you could face severe penalties or lose international business.

In countries like South Africa, where there are not comprehensive privacy laws (yet), local businesses are being forced to conclude contracts in which they undertake to follow the GDPR.

They are also often forced to demonstrate that they are compliant. If they cannot do this, the contract will be awarded to someone else. This type of commercial force has been the true sting in the GDPR’s tail for South African companies.

Digital marketers, in particular, will feel the GDPR’s reach due to the clampdown on data farming and data sharing which has already started.

Tech giants have already made moves to withdraw support for third-party ad serving in Europe and limiting the number of vendors that can measure ads performance on their platforms.

When will the GDPR apply directly to South African companies?

This is an important question to answer because the penalties for non-compliance are severe. There are fines of up to €20 000 000 euros (R297-million) or 4% of total global turnover.

Four factors will determine whether or not the GDPR applies:

1. Organisations in Europe: If an organisation is incorporated in Europe, that entity has to comply with all European laws, including the GDPR. 

2. Organisations active in Europe: If an organisation is active in Europe through a "stable arrangement" in the EU, the GDPR will apply. This includes instances where a South African business is active in Europe through an agent, a sales office or a branch in Europe.

The European Commission will look at factors such as whether the SA company has a website in a European language (other than English), whether it has equipment in Europe or a European postal address.

3. South African organisations offering goods to Europe: If the South African business is not established in Europe, such as in statements one and two, the GDPR may still apply if it offers goods or services to individuals while they are in the EU.

When the European Commission determines whether this is the case, they take factors into account such as whether these services are offered in a European language (other than English), whether payment can be made in a European currency and whether your marketing material specifically mentions customers located in the EU.

This does not mean that the GDPR will apply to European citizens while they are in South Africa. So, just because you have European customers doesn’t mean that you have to comply.

It will depend on whether you are delivering goods or services to individuals while they are in the EU.

Lastly, and perhaps most importantly for digital marketers, the GDPR will apply to a South African business if it is monitoring the behaviour of individuals while they are in the EU.

4. South African profiles of Europeans: If the business does analytics on individuals while they are in the EU to create a profile of them, or to analyse their preferences, behaviour or attitudes, the GDPR applies.

This means that if a digital marketer is profiling and targeting individuals while they are in Europe, the GDPR will apply.

So it applies. Now what?

The biggest concern for digital marketers is whether they need the consent of consumers to serve personalised advertising. While marketing via email and SMS requires consent, more specifically an opt-in consent, the digital marketing world falls within a grey area.

This, unfortunately, means that there are no hard and fast rules – whether consent is required will depend on what the digital marketer wants to do.

Given how impractical it is to get consent for personalised ad serving, it is important to remember that consent is not the only way to justify personalised advertising.

In the EU, many digital marketers make use of the ‘legitimate interest’ argument where the impact on consumers’ privacy is measured up against the interests of the business.

Factors such as the level of the targeting (whether individuals are being targeted as opposed to clusters) and whether the consumer was notified that their data would be used in targeting are taken into account.

As with POPI, the name of the game to become GDPR compliant is data management. Without it, an organisation will not be able to demonstrate that its use of data is, or was, compliant.

This means that they have to be able to record when, why and how the information was collected and that it was only used for the original purpose.

This requires sophisticated systems and processes and will challenge companies to set up a dedicated infrastructure for data management.

The IAB South Africa will notify all members of GDPR developments as they pertain to South African publishers, marketers and agencies. We will also be holding a workshop in the coming months to unpack the impact of the regulation in detail.

For more information, visit www.iabsa.net. You can also follow IAB South Africa on Facebook or on Twitter.  
media update recently looked at the various ways in which GDPR will affect business in South Africa. Read more in our article, Quick Read: What does the GDPR mean for South Africa?