GDPR in the Mauritian context and Data Protection Act 2017

Data protection and privacy has never been so much of a hot topic as now. While some organisations have already taken the steps to ensure compliance with regulations, for others the implications can still be unclear. Recent events related to data breaches are constantly reminding us of the importance of data privacy in today’s data-rich business environment.

The requirement for protection of personal data is not really new, in 1995 the European Union adopted the Data Protection Directive 95/46/EC which focused on the protection of personal data of European individuals and on the movement of such data to other countries. However, this directive was non-binding meaning that it was a guidance that had to be transposed under local laws by EU member countries by 1998.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It was adopted on 27 April 2016 and becomes enforceable as from 25 May 2018. GDPR has been designed to have a single regulation for data privacy laws across Europe. In a nutshell, GDPR ensures that personal information on European citizens and residents are protected by companies that collect and process them and that individuals have control on how their data is used and managed including transfer to territories outside of EU.

1. What is considered Personal Information?

Personal Information (PI), Personally Identifiable Information (PII under US laws) or Sensitive Personal Information (SPI) refers to any data that can be used on its own or in conjunction with other data to identify an individual. In practice PI refers to name and surname, address, telephone number, photos, date and place of birth, national identification, driver license number, passport number, vehicle plate number, biometric data, credit card number, genetic information for example. Think about it as any unique ID number given to an individual or any such data that when explored can lead to a person. Someone may have a social media profile under a nickname but with the data available on the internet, you can trace back to the actual individual who has this profile. Under the law, the term Data Subject is typically used to refer to an individual for whom data is being collected and processed.

2. Does the European General Data Protection Regulation (GDPR) apply to my business in Mauritius?

Do you collect, store or process any Personal Information of European citizens and residents while doing business? If the answer is “Yes” to this question then GDPR applies to your business. Note: There should be a legal basis to collecting or processing Personal Information.

GDPR has extra-territorial applicability which means that it applies to any company which is processing personal data of individuals residing in the EU, regardless of where the company is based or registered. The moment that your organisation collects Personal Information, it becomes a Data Controller under GDPR. If data is collected by a separate entity but your organisation processes the data such as storing data for a third party, your organisation becomes a Data Processor under GDPR.

3. What is the consequence of not complying with GDPR?

If while doing business, companies fail to comply with GDPR requirements and suffer a data breach whereby Personal Information of EU individuals are impacted (whether online or otherwise), they can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater). One important point to note is that we are not talking about a percentage of the profit but indeed 4% of the global turnover.

4. What does GDPR imply for organisations including those based in Mauritius?

If you have assessed that GDPR applies to your organisation, then you must ensure that you implement the requirements of the regulation which includes:

Notice and Consent. Whenever you are collecting Personal Information on individuals (whether directly, online or otherwise) you need to ensure that the person is aware of why information is being collected and consenting to give this information. In practice this typically refers to acknowledging to a set of Terms and Conditions or Privacy Notice. Under GDPR, such notices should be in clear and plain language with minimal to no legal terms used so that it is easily understandable by the individual. Providing notice though is not sufficient, an individual need to provide consent to such notices either through online confirmation or in writing. One way of doing this for printed forms that collect Personal Information is to attach a notice and ensure that the individual signs it. In the event of a challenge or audit by relevant authorities, organisations must be able to provide evidence of consent.

Notification of Breach. Any breach of Personal Information suffered by a company which is a Data Controller/Processor (whether the breach is suffered online or otherwise) should be notified to the relevant authorities no later than 72 hours after the breach has been uncovered. Individuals impacted by the data breach should also be notified in a reasonable time frame. Failure to report such breaches within the required time frame are deemed as failure to comply with GPDR. Under the Mauritian law the Data Protection Commissioner and Data Protection Office are also deemed as relevant authorities.

Right of Access. Under GDPR, an individual must be able to request from any organisation that is processing their Personal Information confirmation on how this data is being processed, in what locations and for what purpose. As an organisation if you are processing data of a European citizen in Mauritius, this person has the right to be made aware of how such data is being stored and for which business purpose. Furthermore, your organisation should be able to readily provide an individual a copy of all their personal data that you hold, free of charge and in an electronic format. This means that data collected should be stored in a form that can be easily retrieved.

Right to be Forgotten. In case an organisation no longer requires the Personal Information of an individual, it should ensure that such data is erased. The right to be forgotten enable individuals to request any company that is holding their data (and that has no business justification to continue to do so) to erase all their personal data, adopt all means to prevent distribution of this data, and request any other parties that were handed this data to delete it as well. For instance if your organisation has transmitted Personal Information to other organisations, then it is your responsibility to ensure that all third parties erase such data. There should be enough evidence to show that all efforts possible were made to request erasure.

Data Portability. An individual has the right to request for their personal data from the organisation that is processing it in a format so that can be transmitted to another organisation. For instance, if a person no longer wants to do business with your company, you should be able to give them all Personal Information that you have in a format that can be readily used by another service provider.

Privacy by Design. The privacy by design principle under GDPR requires that organisations implement systems, technologies or processes that ensures Personal Information are kept securely and provide data privacy by default. Such measures may include but not limited to implementing proactive data security, securing data by default (without explicit request or need for it), data anonymization (storing data in a format that it cannot be linked to an individual), access control mechanisms or encryption.

In practice Personal Information on individuals can be easily accessed by any person within the organisation. However, an as organisation you need to ensure that such data is stored securely using adequate technologies and processes. For example, this can translate to implementing encryption, secure data transmission mechanisms, ensuring that third parties who have access to your systems do not have access to such data or allowing access to staffs on a need to know basis. Privacy by Design is by far one of the most complex requirements under GDPR that requires organisations to rethink their data processing and storage practices and in many cases, adapt their systems accordingly.

Data Protection Officers. If an organisation is handling a large amount of Personal Information and is constantly collecting, storing and monitoring such data, it is required to appoint a Data Protection Officer and advise relevant authorities. Typically this role requires a person with legal and data privacy background.

5. What is the Data Protection Act 2017 of Mauritius?

The Data Protection Act 2017 which is applicable since 15th January 2018 replaces the now obsolete 2004 version. It is based on the same principles of GDPR but is applicable to the local context. It therefore has the same requirements as GDPR except for Privacy by Design. The consequences of not complying to the DPA 2017 regulation under the Mauritian law can lead to a fine of up to Rs.200,000 or 5 years imprisonment.

6. Where can I get more information on these regulations?

The final version of GPDR text is available here.

The full version of the Data Protection Act 2017 is available here.

Disclaimer: The information provided in this article is for information purposes only. It contains personal views and information expressed by the author and is not endorsed by any organisations whatsoever, whether explicit or implied. In no way should information provided in this article be considered as advice or recommendations. Companies willing to implement compliance with regulations including but not limited to GDPR and Data Protection Act 2017 should do so by seeking professional advice.