For the past few years, you must have noticed that your inbox has been flooded with emails from businesses that they have “updated their privacy policy”. This is because the Data Protection law is going through another revolution. The Mauritian government created and enacted a new Data Protection Act based on the new EU Data Protection Regulations (commonly known as the GDPR), running 516 pages and full of complex provisions, customized to their citizen needs. The objective of this act is to reinforce the legal and practical certainty for economic operators and public authorities by aligning it with best practices.
The principal rationale behind the GDPR, which came into force on May 25, 2018 is to update the law to make the legislation more suitable to deal with the growth of the digital economy and the different ways in which personal data are being collected and transferred. The GDPR views personal data protection from a human rights perspective. Under this European legislation, personal data may only be transferred from the European Union to a third country which has been recognized as having an ‘adequate’ level of data protection safeguards. Any unauthorized data transfer is considered illegal. Hence, was the need to review our Data Protection Act 2004 to align it with the GDPR to ensure the growth of our digital economy.

Under the Data Protection Act, businesses may be liable to a fine not exceeding 200, 000 rupees and to imprisonment for a term not exceeding 5 years or as per recent decisions from the Data Protection Office, to stop the processing activities, if they are not compliant. Not only do businesses risk financial losses by having to pay heavy fines and mitigate damage caused by breaches, by failing to implement sufficient mechanisms to protect customer data, they also risk reputational damage.

Another alarm for businesses in Mauritius is the territorial applicability of the GDPR. Its obligations apply outside the European Union, to businesses processing personal data of data subject in the Union even though they are not established in the Union either by offering goods or services, irrespective whether a payment of the data subject is required or in monitoring data subject behavior within the Union. Businesses failing to adhere to the GDPR has steep penalties of up to €20 million, or 4% of global annual turnover, whichever is higher.

While GDPR and Data Protection Act do create challenges and pain for businesses, they also create opportunity in building deeper trust and retaining more loyal customers. If you haven’t already started your journey to compliance, we urge you to start now.

Article by: Rigvi Bansoodeb
Compliance Coordinator