Data protection compliance guide for activities in Africa
Scenario: you buy a good on an online sales site. For the invoice and the package, you need to enter your surname, first name, telephone number, postal address and e-mail address. When the day is over, this online sales site sends all the personal data collected, including yours, to a platform against remuneration, and this platform then shares it with partners. A few weeks later, you are deeply annoyed: you receive up to five telephone prospecting calls a day: salespeople try in every way to sell you a thousand things that you don’t need!
Personal data protection: an imperative of our time
Here in a nutshell are the abuses that tend to be avoided by personal data protection regulations, which, due to their complexity and the scale of the data flows that we experience, can represent a real headache for companies. These regulations have existed for about forty years, but for some years, we have noticed a trend towards tightening due to the advent of the Internet and its use by the general public, which facilitates the massive collection of personal data. In this respect, the Facebook-Cambridge Analytica scandal, by which a company allegedly influenced the 2016 US presidential election thanks to the data of 87 million Facebook users, had a considerable impact.
Panorama of the regulations in enacted in Africa
It was therefore in response to multiple scandals and protests that the European Data Protection Regulation was adopted: it came into force in 2018, and its acronym, “GDPR”, has since become famous. In Africa, there are also data protection regulations, which are more or less strict. They can be considered strict when there is a data processing control authority, as it is the case for example in Mali or Ghana. In other countries, there are data protection regulations without a supervisory authority: this is the case of Guinea. Finally, some countries do not have specific regulations, as it is case of Cameroon -although personal data protection is briefly covered in the 2010 law on security and cybercrime- or of Tanzania.
Please note: an inexistant or flexible regulation does not systematically exempt operators from any obligation: on the one hand, it is very easy, simply because the data circulates, to find oneself subject to a regulation: for instance, all companies processing data and based on the European Union territory are subject to GDPR, even if the operations are deployed in Africa. Similarly, all companies processing data of European citizens are subject to GDPR, even if they are based outside. On the other hand, the protection of personal data is increasingly becoming a commercial argument for citizens, who are increasingly sensitive to these issues. Companies therefore incur, beyond sanctions, a real reputational risk in not protecting their customers' data.
Here are some practical tips to avoid breaches in your operations in Africa.
A few tips…
1. Understand the nature, flow and trajectory of data
With the globalization of trade, information is transmitted instantly from one corner of the earth to another. It is therefore imperative, when processing data in the context of your activities, to identify:
- the nature of the data collected;
- their volume;
- all the countries through which they pass: they may go beyond the borders of the country in which you are located because you rely on a server or a subcontractor located in another country.
Please note that the data collected shall not be excessive and proportionate to the aim pursued.
2. Understand the applicable law
Once you have identified where your data will travel, you cannot skip reading relevant local regulations - when they exist. Indeed, even if similar principles are found in data protection regulations, local data protection authorities carry out more or less extensive control of data processing. Your activity may therefore be subject to prior authorization or simple declaration. Similarly, the regulations may impose, when you process a large volume of data, the appointment of a data protection correspondent who will liaise with the data protection authority to report on your data processing activities.
3. Focus on computer security
Data leaks can have serious consequences. It is therefore necessary to ensure that the media or servers where the data is stored are secure to prevent any risk of hacking. This therefore implies close coordination with information technology experts. This obligation is not cancelled if you rely on a subcontractor: in this case, you must firstly ensure that the solution offered is sufficiently secured, and secondly include a contractual clause providing the obligation for the subcontractor to comply with this security obligation.
4. Obtain the consent of the data subjects
When you collect data, you must do so in a fair and transparent manner, i.e. inform customers of the processing carried out and its purposes. Consent is not always mandatory, for example when processing is necessary for the performance of a contract. It still seems simpler to obtain their consent, which can be a contractual clause and which will enable you, for instance, to contact them again after the end of the contractual relationship to offer new services. Please note that the data retention period must be proportionate and limited in time. In addition, your customers must be able to rectify or obtain the deletion of data concerning them at any time.
5. Provide a privacy policy on your website and, if applicable, a cookie banner
Your website must provide in the legal notices a confidentiality policy which indicates the processing carried out, its purpose, the duration of its storage and the right of your customers to obtain its rectification or erasure. In addition, if you use cookies, that is to say that your site retains the IP address of visitors in order to offer them advertisements from your company when they browse the Internet, you must provide a banner through which each client will authorize or not the use of his/her cookies.
Recommended reading: B. Dédia, M. Ouattara, The protection of personal data in French-speaking Africa, LGDJ, 2020
