Meet the people who make DPO Consulting

Publié le 14 March 2023

Meet Elsie RASOLOHERY, Director of DPO Consulting Indian Ocean.

Can you introduce yourself and tell us what you are passionate about in data protection?

I am of French-Malagasy origin and also have Mauritian nationality. With a postgraduate degree in business and corporate law, I started my career as a lawyer in Réunion Island working for accountants. Then, I was a legal advisor in a multinational company, working in Mauritius, London and Paris, and recently in a pan-African legal firm based in Mauritius.

My passion for data protection was passed on to me in the early 2000s by colleagues, experts in the field, with whom I collaborated closely in the process of aligning the global data protection policy with local regulations in several countries. The challenges at the time were to raise awareness of the importance of the subject within the framework of the execution and management of cross-border IT and BPO contracts, to deploy the implementation of the data protection policy in a global and multicultural environment, and thus to establish a culture of compliance in this area at all levels of the organization’s hierarchy.

My interest in the subject has grown over the years as I have seen how quickly data protection has become important due to the rapid technological evolution with the internet, data, networks, blockchain, connected objects, cloud computing, artificial intelligence, and more recently health software. The impact of the use of these new technologies on the behavior of each individual has made the right to personal data protection a fundamental right that is part of the right to privacy protected by the European Convention on Human Rights.

The legal issues raised by data protection are fascinating. For example, the question of how to balance the right to personal data protection with other fundamental rights such as freedom of expression, which includes freedom of communication and information, or the responsibility of the liquidator in the context of collective proceedings. The extraterritorial application of GDPR has made data protection an intersectional subject, without borders, where traditional law disciplines and new technologies intertwine. For companies, issues can arise at any point in the compliance process, ranging from design/designthrough to implementation/implementationand finally control/monitoringand auditing.

New challenges will arise as quantum computing will soon revolutionize the future and profoundly change economies, industries and our lives.

What is the state of personal data protection regulations in the Indian Ocean?

There are many islands and territories in the Indian Ocean, and I will only mention the Vanilla Islands: Réunion Island, Mauritius and Madagascar, which I know better than Mayotte, the Seychelles and the Comoros. It is important to know that the level of maturity of these countries regarding personal data is very uneven.

To my knowledge, there is no legal and regulatory framework for data protection in the Comoros. As for the Seychelles, the 2003 Data Protection Act inspired by the British law of 1984 (long since abolished), has not yet come into force.

In Madagascar, the personal data protection law dates from 2014 and is largely inspired by European Directive 95/46/EC, and the advice of member countries of the Francophone Association of Personal Data Protection Authorities (AFAPDP). One of the particularities of the Malagasy law is that it does not provide for any notification procedure in case of personal data breach. It should also be noted that the supervisory authority is the Malagasy Commission for Information Technology and Civil Liberties, but in 2020 this has not yet been established.

In Mauritius, the old Data Protection Act of 2004 was abolished, and replaced in 2018 by a law largely inspired by GDPR. Like GDPR, it advocates the 8 golden rules of personal data protection, the principle of “Privacy by Design”, strengthens the rights of data subjects over their personal data as well as the power of the supervisory authority. Several Mauritian companies with international operations, in particular in Europe, have reviewed their data protection policy, the level of their IT security, their contractual relations with their subcontractors, their internal procedures and their governance framework. To date, there is no Mauritian case law on the subject, nor have there been any significant sanctions from the supervisory authority.

As Réunion Island and Mayotte are part of France, GDPR applies: compliance with legal obligations is mandatory, sanctions in case of non-compliance are applicable, the supervisory authority is the CNIL. As a result, companies in Réunion Island have had to devote the necessary means and resources to set up and appoint their personal data protection officer. Almost 4 years after the entry into force of GDPR, it would be interesting to draw up an assessment.

How do you see the future of DPO Consulting in the Indian Ocean?

As a French company, DPO Consulting has its place in the Indian Ocean, particularly in Réunion Island where companies are subject to GDPR.

DPO Consulting can also have a certain competitive advantage in Mauritius because of its expertise in the field since its creation. Mauritius being a country resolutely turned towards the international which aligned its legislation in data protection on GDPR. DPO Consulting can therefore offer its expertise in the field, on the one hand to economic operators and Mauritian conglomerates for their operations in Mauritius and internationally, on the other hand to organizations that use Mauritius as an investment platform to Africa.

Investment opportunities are multiplying rapidly across the African continent. Organizations wishing to establish themselves in Africa need to be aware of the legal and regulatory framework relating to data protection, which differs from country to country. Lack of knowledge of, or compliance with, the data protection laws of a particular African country may hinder the operations of multinational organizations. For example, South Africa’s data protection law contains restrictions on the transfer of personal data across its borders. The same is true in Ghana, Ivory Coast or Burkina Faso. So I think DPO Consulting has a future not only in the Vanilla Islands but also on the African continent.