The coming into effect of the General Data Protection Regulation (GDPR) on 25th May 2018 has signified a global harmonisation in the way that we address data privacy rights of living human beings. The GDPR protects the privacy of the personal data of individuals in the EU, irrespective of where the processing of that data takes place. It thus has extra-territorial effect, i.e. is also to be enforced outside of the EU.
Being given the extra-territorial effect of the GDPR and the fact that privacy is a fundamental right of every living individual, the Mauritian Government enacted a new Data Protection Act 2017, which came into force on 15th January 2018, in order to facilitate compliance with the GDPR and ensure that the rights of privacy of data subjects are duly protected.
Many organisations in Mauritius are somewhat overwhelmed by the requirements of the new data privacy laws and regulations and are looking to understand the methods and challenges of implementation and compliance. In that respect, a conference was organised on the 31st of August at Hennessy Park Hotel by Jurisconsult, part of the multinational legal network of DLA Piper. Entitled “The Mauritius Data Protection Act 2017 and the European Union General Data Protection Regulation: Legal Challenges and Opportunities”, this conference welcomed some distinguished guests such as Dr (Mrs) R. Y. Moorghen, the Permanent Secretary, the Ministry of Technology, Communication and Innovation, Mrs Drudeisha Madhub, the Data Protection Commissioner and a GDPR legal expert, Mrs Florence Guthfreund-Roland also a partner at DLA Piper (France) as well as various panellist guest speakers from different companies in Mauritius, including Anshi Saminaden, Harel Mallac’s Group Head of Legal Affairs.
Our Group Head of Legal Affairs shared, during a panel discussion, the measures being taken within the Harel Mallac Group to become GDPR and DPA compliant as well as the related challenges. Those measures cover, inter-alia: a compulsory e-learning module on data privacy, a Gap Analysis conduct by Ernst & Young, the implementation of a new Data Protection Policy for the Group, in accordance with the DPA, amendments to our websites, such as their terms and conditions and privacy notices.
Interview. Anshi Saminaden, Group Head of Legal Affairs at Harel Mallac.
In line with this conference, Anshi Saminaden gives us an overview of the implementation and importance of the GDPR and the DPA for Mauritius through this interview.
Connexion: Data privacy is a complex subject. Could you elaborate on these new laws and the various principles relating to the processing of personal data and the obligations of the controllers and processors?
Anshi Saminaden: Data privacy applies to any data from which, a living individual (known as a ‘data subject’) can be identified such as his or her name, address, biometric or genetic data and any other contact details. The right to privacy is a fundamental and constitutional right, of which data privacy also forms part. Our fundamental rights to privacy stem from Sections 3 and 9 of the Constitution of Mauritius and Article 22 of the Mauritian Civil Code that existed well before the coming into effect of the Data Protection Act and GDPR. Data privacy goes beyond confidentiality and requires us to use and process data diligently, in accordance with the rights of the data subject.
Evolving in an era of rapid technological and social change, personal data has become an increasing concern; so much that many countries have had to legislate on data privacy in order to ensure that the rights of individuals are protected. In 2004, Mauritius enacted the Data Protection Act 2004, which, was repealed and replaced by the new Data Protection Act 2017, which came into force on 15th January 2018.
This new Act should also enable Mauritius to position itself as a trustworthy, global player, in terms of data privacy where it can be recognised as a having adequate safeguards for the safe and proper processing of personal data. The GDPR and its extra-territorial effect shows the strong stand taken globally to harmonise data privacy. The rapid evolvement of technology cross-border as well as the social media has instigated the urgent need to ensure that the data of individuals is processed within defined limits and that the basic, fundamental rights of privacy are respected. The GDPR applies here in Mauritius, although time will tell whether an administrative decision in the EU/UK may be executed here in Mauritius.
For now, the Data Protection Act has been amended in order to facilitate compliance with the GDPR with respect to the processing of personal data according to six basic principles. Every controller or processor shall ensure that personal data is:
Connexion: What is the difference between Data Controller and Data Processor?
Anshi Saminaden: The Data Protection Act 2017 is, therefore, our local law. Any person that collects personal data of individuals known as “data subjects” and that has the decision-making power on how that data is used, is known as a data “controller”. Each company within our Group is a data “controller”. Any third party service provider, whose services are retained by the controller to assist in the processing of personal data, is known as a data “processor”. The controller has a duty to ensure, usually in a data processing agreement, that relevant safeguards are in place and respected by the processor when processing the data entrusted to him/her/it.
Connexion: How it this legislation implemented within Harel Mallac?
Anshi Saminaden: The implementation of the DPA and GDPR require a change in the way that our Group does business, namely in our operational structures and processes. For example, the Group needs to apply Data Minimisation, which means that we cannot request more data than it is required and it must not be kept for longer than is necessary.
Furthermore, retention and disposal policies are being put in place. Audits will be conducted systematically and our processing activities will need to be recorded followed by a Privacy Impact Assessment to assess the level of risk to the data subjects’ rights and freedoms. Template documents and contracts will need to be reviewed and aligned with data privacy requirements.
For all high-risk activities or activities such as involving the tracking of individuals’ online behaviour which could potentially result in a risk of physical harm in the event of a breach, a Data Protection Impact Assessment (DPIA) must be performed and documented by the controller. Using data for direct marketing will require the consent of the data subject. All personal data that we hold will need to be scrutinised, as to their purpose, use, and the lawful basis on which it is being processed etc.
Connexion: What about consent?
Anshi Saminaden: Obtaining the consent of the data subject is one lawful way of processing personal data, but not the only way. Today, personal data may, in certain cases, be processed without the need to seek and obtain the consent of the data subject.
However, under the DPA there are other lawful grounds, upon which personal data may be processed without the consent of the data subject. Where, for example, the processing of personal data is necessary for performance of a contract with the data subject or a “legitimate interest” i.e. processing is necessary for the legitimate interest of the controller or the legitimate interest of a third party (in this case, one will need to complete a Legitimate Interest Assessment).
Connexion: What does the data subject need to know before communicating his or her personal data?
Under the DPA, the data subject must, upon collection of personal data, be informed of his or her rights. This is usually in the form of a privacy notice. If his or her consent is required, he or she is then able to take an informed decision. The processing of personal data in a trustworthy manner and environment can only enhance the trust of our stakeholders.
Connexion: What are the consequences of non-compliance?
Anshi Saminaden: The commission of an offence under the DPA for which no specific penalty is provided or who otherwise contravenes that Act shall, on conviction, be liable to a fine not exceeding 200, 000 rupees and to imprisonment for a term not exceeding five years. Any breach of the GDPR could result in heavy penalties i.e. fines amounting up to 4% of annual global turnover or €20 Million, whichever is greater. Over and above the penalties and offences, non-compliance with data privacy laws will reduce stakeholder trust and could lead to such other disciplinary or legal action.
Connexion: How will Mauritius and Mauritian businesses benefit from the data privacy laws?
Anshi Saminaden: Among other things, compliance will enable better controls and processes in the business, improved cyber security and protection of business assets and higher stakeholder trust both internationally and locally, and more investment into Mauritius.
Connexion: How is this new legislation in line with Harel Mallac Group’s commitment to make a difference for the better?
Anshi Saminaden: With the recent well-known, international scandal about illicit retrieving of users’ personal data, which highlighted the importance of data management, it has become more crucial for Harel Mallac to work effortlessly towards ensuring compliance with the new requirements. Data privacy must and must be seen to form an intrinsic part of our operations and way of doing business. ‘Trust’ is one of our core values and building the trust of our stakeholders, through the way that we process personal data, can only bring good for all parties, better efficiency and productivity.