In your experience, do companies in Mauritius need to do more to fully understand their data privacy and protection duties in the digital age?
To a large extent, companies in Mauritius are aware of the Data Protection Act 2017 (DPA) which governs data protection, and which came into operation on 15 January 2018. They are also aware that they have obligations imposed by the DPA when they act as controllers or processors and that those individuals whose data they are processing have rights guaranteed by the DPA. However, there is work to be done before companies in Mauritius become fully compliant with the DPA. Companies must become more conscious of their duty of accountability to those data subjects whose data they are processing.
Could you outline the latest legal and regulatory developments affecting corporate storage, handling and transfer of data in your region?
According to the DPA, companies must ensure that personal data is kept in a form which allows data subjects to be identified for no longer than is necessary for the purposes for which their personal data is being processed. There is no specific time limit under the DPA within which data should be deleted. This should be decided by the company. However, there are a few elements which should be considered when deciding on the retention period for personal data. First, personal data can be kept indefinitely only if it is being held for archiving, scientific, historical, research or statistical purposes. Second, personal data may be required in order to defend possible future claims or to enter possible claims against former clients or employees. Third, there may be legal or regulatory requirements by virtue of which certain personal data needs to be retained. With respect to transfers of data from the European Union (EU) to Mauritius, this must be done in compliance with standard contractual clauses under the General Data Protection Regulation (GDPR), as Mauritius is considered a third country for the EU. It is apposite to note, however, that Mauritius has submitted a report to the European Commission for the assessment of Mauritius as an adequate country for the safe transfer of personal data.
In what ways have the authorities increased their monitoring and enforcement activities with respect to data protection and privacy in recent years?
Though under the DPA, the Data Protection Commissioner (DPC) cannot impose administrative fines like the supervisory authorities can do under the GDPR. The DPC does, however, have enforcement powers such as investigating complaints made to the DPC for DPA breaches, requesting information, applying to the judge in chambers for preservation orders, and issuing enforcement notices. Where a complaint is made to the DPC for an alleged contravention of the DPA, the DPC investigates and where an amicable settlement is not possible, sends the file to the director of public prosecutions. Upon conviction, the person breaching the DPA will be liable to a fine not exceeding 200,000 Mauritian rupees and to imprisonment for up to five years. The DPC may also carry out periodic audits of companies’ systems and security measures to ensure they comply with the DPA.
What insights can we draw from recent high-profile data breaches? What impact have these situations had on the data protection landscape?
Mauritius is yet to experience a high-profile data breach. However, since our data protection law is inspired by the GDPR and includes many similar provisions, all high-profile breaches of the GDPR and subsequent decisions rendered on those breaches are closely followed in Mauritius, as they may persuade decisions in our courts. This means that our courts may follow the decision of a supervisory authority or European court if the provision of the GDPR being interpreted is similar to that found in the DPA. Mauritius has a thriving business process outsourcing (BPO) sector, and this involves European personal data being processed in Mauritius. The GDPR may be applied to these companies or to any company which processes the data of data subjects in Europe, and therefore cases involving the GDPR are highly relevant.
What steps can companies take to mitigate data risks arising from the use of third parties, such as consultants, agents and distributers?
Before companies retain the services of any third parties that will be processing their data, it is important to carry out proper due diligence on the service provider to ensure that it complies with the DPA and has the necessary security and organisational measures in place to safeguard the data it is processes. It is mandatory to have a written contract between the company and the service provider as processor, such as a payroll service provider or a cloud service provider. Under the DPA, the contract should ensure that the processor acts only on the instructions received from the controller, and is bound to implement appropriate security and organisational measures to prevent a data breach and also provide an adequate level of security.
What can companies do to manage internal data privacy risks and threats, such as liabilities arising from lost devices or the actions of rogue employees?
What essential advice can you offer to companies in Mauritius on managing data risk and maintaining regulatory compliance going forward?
Companies need to process data lawfully, fairly and transparently. They have a duty of accountability to individuals whose data they are processing. They also need to have in place policies and processes so that the personal data of data subjects, whether it be employees, clients, service providers, directors or shareholders, are processed in accordance with data privacy laws. It is very important for companies to put in place adequate security measures, such as encryption or pseudonymisation of personal data. However, the biggest cyber risk is not from external hackers but rather from complacency within the company. Therefore, in addition to technological and physical measures, staff training is key to curbing or curtailing such risks. Privacy challenges cannot be understated – data breaches can put companies out of business, not only because of the sanctions involved but also because of the reputational damage it may cause, which may be irreversible. Complying with the DPA might be a tedious task, but each step is toward companies protecting themselves from prosecution and gaining a competitive advantage in a crowded marketplace.