In the past weeks, you have probably received a lot of emails from various companies explaining that they’ve changed the privacy settings on the websites, apps and services that you are using.

You may not know it, but these emails are just the ripples from a great tsunami. A huge new wave of data protection has just swept across most of the globe, and it’s changed everything in its wake.

The tsunami has a name: the General Data Protection Regulation (GDPR), which is essentially a new set of privacy rules adopted by the European Union to protect the privacy of all EU residents.

The tsunami hit on Friday, 25 May 2018 – the date when these new data protection rules came into force.

If it sounds so boring, why are we calling it a tsunami? The GDPR has far-reaching implications for any business, organisation and entity that handles personal information of any kind. It is probably the strongest privacy protection ever. Under the GDPR, individuals have greatly expanded rights over their data, including the right to be informed and notified as to what someone’s doing with your data, the right to object to what they’re doing with it, and the right to be forgotten.

Here on South Africa’s shores, it may seem like we’re just seeing the ripples. But actually this tsunami is coming for us as well.

The EU (European Union) has stated that any organisations that are not in compliance with the GDPR will face heavy fines – including for any South African firms that have EU customers’ personal information. If a business offers goods or services to citizens in the EU, then it will be subject to GDPR, no matter where it’s based.

It’s not just South African companies that are getting swept up. Our entire government has been standing right in this tsunami’s path. This is because the EU is likely to do assessments of all countries with customers in the EU to see whether they’re complaint with the new data protection rules.

And in South Africa what do we see? To continue the tsunami metaphor, our lawmakers and authorities are essentially still chilling on the beach, watching the tide come in. Another day another data breach. Late in May, we saw nearly a million people’s private information leaked online from a traffic fines site. The data leak of 934,000 records contains identity numbers‚ email addresses‚ full names and passwords.

Privacy breaches are relatively common in South Africa. Our own recent data protection law, the Protection of Personal Information Act, is not yet operational. The data protection watchdog created through that law is the Information Regulator – the watchdog body is essentially non-functioning, with most of its funding tied up in government bureaucracy.

The failure of our government to adequately protect our privacy – having produced a world-class data protection law and then failed, thus far, to get it off the ground – could well have economic consequences in light of the GDPR.

And certainly, this failure will have consequences for the millions of people who need their privacy protected. Information is important. Who has it is important, and who should not have it is important.

We are all asked to give up vast amount of personal data at every point – literally, at the gate or door we are asked to give our names, ID numbers, car registrations and other personal information – sometimes even scans of our face, irises or thumbprints. Those large grubby books that sit on reception desks across the country have long left our information unprotected, and now they are being replaced by high-tech nightmare biometric databases, some of which are introduced by private security firms and others by the likes of Home Affairs and Sassa. We carefully lock our front doors and close our gates, but leave lying around the very keys to our electronic identities.

We called it a tsunami, but the arrival of the EU’s new data protection rules are essentially a wave of change, and our lawmakers and regulator have all but missed it.

We as citizens of South Africa need to start holding our government, and the Information Regulator in particular, accountable for our data security.

You can email the Information Regulator with your queries at [email protected] or call them on 012 406 4818. DM

Alison Tilley is a spokesperson for the Open Democracy Advice Centre and and Murray Hunter for the Right2Know Campaign