cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Armandt_R
Newcomer I

GDPR extrateritorial enforcement

Greetings to all, I am currently busy with the GDPR course presented by (ISC)². 

 

The company I work for does not deal with the EU or any EU citizens officially, but the possibility is always there that this kind of data might make its way onto our systems. I also am involved with a few other projects that also have this kind of potential compliance issues in the future. 

 

As information security professionals this kind of compliance is our responsibility and convincing executives to heed our warnings is vital.

 

I am fully aware of all the penalties and fines, and that is great. I have spoken to a few local (South African) legal professionals and none of them have been able to answer my question directly.

 

How will the EU be able to enforce this regulation in South Africa? If a South African company hypothetically causes an EU citizen material or immaterial damage, how will the EU hold that company accountable? How will they impose the fine?

 

If this South African company just says, " I'm not paying, to hell with the EU, this is Africa", how will the EU go about this? Is there an onus on the South African government to get involved? 

 

I am still doing research on this topic, but so far I have had little success. Yes, I know it affects companies outside the EU, but my question is how this is going to be enforced.

 

I cannot convince my superiors to invest in compliance if there isn't a real threat of "non-compliance" punitive measures. 

 

If anyone has any insight, I would greatly appreciate it. 

10 Replies
ssomuah
Newcomer I

Late to respond to this, but I must say I have learned a lot from the responses. I have also thought about this question for quite a while, and after several pieces of research, I  never found a convincing answer. My country, Ghana has the Data Protection Act 843 (2012), which is modeled almost the same way as the GDPR, but for the language and some terms.

I always try my best to ensure my company complies with the Data Protection Act 843 (2012). As a company domiciled in only Ghana, I feel immune from any bite from GDPR.

Stephen Somuah, CISSP