January 20, 2023

SADC Secretariat fully complies with international best practices on Protection of Personal Data

The Southern African Development Community (SADC) Secretariat fully complies with appropriate systems, controls, rules and procedures for ensuring protection of personal data in line with the globally recognised General Data Protection Regulation (GDPR) of the European Union (EU).  

This was validated by the recent audit report for the period of November 2021 - October 2022 produced by Deloitte Reviseurs d’Enterprises which found the SADC Secretariat to be fully compliant. The EU conducts Pillar Assessments in order to evaluate whether to fund or conclude specific agreements with organisations such as SADC. This particular audit sought to assess if the SADC Secretariat complied with Pillar 9 which is a criterion set by the European Union to protect personal data privacy and security.

Personal data means any information such as personal and contact details that could directly or indirectly identify a living person. The internet and cloud computing has captured a lot of personal data and if used in an improper manner, could pose a threat to the well-being of data subject through identity theft, financial loss, discrimination or physical harm. It is in light of these potential risks that organisations are required to have data protection laws which set out what should be done to make sure personal data is used properly and ethically.

The SADC Secretariat amongst other risk mitigation actions, developed a Policy on the Protection of Personal Data, which was approved by the Council of Ministers in March 2022. This Policy provides guidance on how the Secretariat, its staff members, consultants, and stakeholders obtain, process, restrict, dispose or store personal data.

The Secretariat also implemented a personal data compliance programme which involved the development of workplace policies, processes, and training of all SADC Secretariat staff members on compliance with the Policy as well as the creation of the SADC Secretariat’s privacy team. Proper mechanisms for cross border data transfers which permit the transfer of personal data to third parties outside the SADC Secretariat are also in place.   Through the office of the Data Protection Officer, the SADC Secretariat will ensure that employees and stakeholders are familiar with the Data Protection Policy and will continue to monitor compliance.  

Having systems, controls, rules, and procedures which comply with internationally accepted standards such as the GDPR is very crucial in a digital ecosystem because organisations within the EU can easily cooperate with the SADC Secretariat with the assurance that any personal data which may be shared will be processed by the SADC Secretariat in accordance with the EU Data Protection laws.

Compliance of the SADC Secretariat with these standards will strengthen the SADC-EU relations and enhance continued engagement with development partners and funders. It is also reassuring that the majority of SADC Member States have adopted data protection laws and this with strengthen the position of the SADC region as an ethical destination for attracting Foreign Direct Investment because investors will be assured that their data is protected.

The Protection of Personal Data project is funded by the EU under the Integrated Institutional Capacity Building (IICB) Programme for the SADC Secretariat and National Stakeholders that aims to enhance service delivery by the Secretariat in support of programme/project planning, coordination, resource mobilisation, implementation, monitoring and knowledge-sharing of regional commitments at country level.