The right to privacy refers to the concept that one’s personal information should be protected from public scrutiny. It is forms part of the legal objective to restrict actions that threaten the privacy of individuals. Mauritius enacted the Data Protection Act of 2004, which allowed for the protection of privacy rights of individuals used to manage data relating to them. However, given the rapidly evolving nature of data it became very apparent that the Data Protection Act of 2004 no longer met Mauritius’ evolving digital needs. It was thus repealed, and replaced, by the Data Protection Act 2017 (the “Act”) which came into force on the 15th of January 2018.
The Act necessitates that personal data is safeguarded and processed properly. It aims to minimize the risk of data breaches in the most effective way possible. The Act also seeks to align the Mauritius data protection framework with international standards, specifically, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
What does this imply for companies going forward? They now have a clear responsibility to work towards establishing policies and improving company-wide practices. Under the GDPR regulations – which have extra-territorial reach – failure to comply with obligations could result in fines being imposed that can reach as much as 4% of annual global turnover. Under the Data Protection Act 2017, failure to comply with the law can also lead to imprisonment. As such, it is primordial to improve practices to guarantee information security.
Which industries will be significantly impacted by the Data Protection Act 2017?
- Industries that provide services to individual customers
Companies whose core business is to provide services to individuals generally include the processing of personal data on a day-to-day basis. These companies include the hospitality sector, financial services, insurance, and human resources management amongst others. When we consider Mauritius, hotels will confront a direct impact as they also service EU Citizens.
- Industries that provide marketing, business process outsourcing and support services
A significant number of companies provide marketing, business process outsourcing and support services wherein they handle personal data on a day-to-day basis particularly through printed forms, phone calls and emails.
- Retail Sector
The retail business sees thousands of people visiting its showrooms for either support or the purchase of goods. Merchants handle enormous amount of personal data on a day-to-day basis.
The current privacy landscape is about to experience a major change in the coming years with the adoption of a privacy culture by companies. Every business is inherently unique and going forward the quantity of data available on hand is only set to increase. New technological developments are further adding urgency to this need with the ever-growing usage of social media, cloud services and mobile apps and e-payment platforms. The need for information security is a truly pressing one. Understanding the context of business processing and information security is therefore vital. Rogers Capital through its team of experts helps companies to achieve Data Protection Compliance in the most effective manner.
Rogers Capital offers a comprehensive consultancy service in Data Protection and Privacy compliance to help companies achieve an acceptable level of maturity in order to comply with the Data Protection Act 2017. Our consultancy services combine analysis of related business processes, information security risks and take in to consideration the legal aspects of the process. We delineate the entire process into three parts; Data Discovery phase, Assessment & Design phase and the Compliance phase. We analyze business processes to understand the amount of personal data in the business and we evaluate the requirements for policies, procedures and also review all processes to correct any non-conformities detected. The compliance phase subsequently takes the form of project management where we guide the organisation in implementing the appropriate compliance tasks, security controls and security standards adoption. We also believe that the involvement of people in the entire process has a major impact on compliance. We add value to the exercise by further providing a user awareness so as to empower people, as they remain the human firewall in this entire process.