The European General Data Protection Regulation ("GDPR ") is effective as from 3.00 am (Mauritian time) today, 25 May 2018. The GDPR has extra-territorial applicability; it will apply to Mauritian controllers and processors who are processing personal data of data subjects in the European Union ("EU ").

In the event the GDPR is applicable, there are 2 options open to local controllers and processors: (i) apply the GDPR, or (ii) refrain from processing personal data of data subjects who are in the EU. It is clear that the first option is the more reasonable one as the second option would affect, to a large extent, our business ties with Europe.

Mauritius was among the first countries in the world to have enacted a data protection legislation which aims to be in line with the GDPR. The Data Protection Act 2017 ("DPA 2017 ") which was promulgated in January this year, extends the scope of responsibilities for controllers and processors and gives enhanced rights to data subjects. If a controller/processor is compliant with the DPA 2017, then, it would be, to a large extent, also compliant with the GDPR.

Although it has a lot of similarities with the DPA 2017, the GDPR is however different to some extent.

The table below helps to summarise the main differences between the GDPR and the DPA 2017

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.