Data ProtectionProtecting the Age of Information
“It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public.”
- Clay Shirky, Internet Scholar and Professor at NYU
What is Data Protection?
Data Protection is the process of safeguarding important information from corruption, compromise or loss. It is important to note that data protection is not limited to the protection of personal information, and may include confidential information, trade secrets and other sensitive information. For the purpose of this discussion we will focus on the protection of personal information, including but not limited to the personal information of organisations’ customers, clients and employees.
What Data Protection Legislation is relevant for businesses in South Africa
For South African organisations the following legislation is specifically applicable:
Protection of Personal Information Act 4 of 2013 (“POPI”) is South Africa’s Data Protection legislation. While some sections of POPI are already in effect, the majority of sections still need to be promulgated; it is expected to be within this year. POPI is applicable to the protection of personal information of both natural and juristic persons, which differentiates it from the GDPR, below. Once fully in effect, organisations will have one year to comply with POPI in its entirety.
General Data Protection Regulations (“GDPR”) is the European Union’s Data Protection legislation. In contrast to POPI, it is not jurisdictionally limited. Whereas POPI’s application is limited to South Africa’s borders, the GDPR is applicable to the personal information of EU citizens, irrespective of where their personal information is being processed or controlled. Consequently, South African organisation that processes the personal information of EU citizens may also need to comply with the GDPR.
How does one protect personal information?
Poet and essayist John Perry Barlow stated that relying on government to protect our privacy is like asking a peeping tom to install your window blinds. Whereas Mr. Barlow has a point in that we must take responsibility for protecting our privacy, we are also in the fortunate position where governments have enacted legislation (as noted above) that guide us on how to deal with the privacy (personal information) of others as well as empowering us to know how others may deal with our personal information.
In terms of the above legislation, both define exactly what constitutes personal information and provides conditions/principles regarding what personal information may be collected, processed, stored and protected. Fortunately, there is a great overlap between the two, with the GDPR providing additional rights to data subjects, such as the right to be forgotten.
However, legislation is not the only guide for the protection of personal information. Organisations should also refer to certain International Standards to guide them on aspects such as security and data protection. International Standards such as ISO/IEC 27001/2 and 27017 are useful standards that ensure that an organisation limits the potential risks of privacy infringement.
Why is Data Protection important?
The digital environment in which we live has brought with it multiple advantages, but it also poses a threat to our privacy. As technology advances, the amount of data created and stored continues to grow at unprecedented rates. It is also becoming increasingly easy to access this data. The use of mobile location tracking, something the Government is putting to use during the COVID-19 pandemic, is a good example of how easy it is to access personal information and, without stating the obvious, how quickly potential privacy risks arise when the information is utilised for other purposes by the government or third parties.
Complying with Data Protection legislation has the further positive effect of:
- Setting an organisation up as a market differentiator, and
- Building customer/client trust, which in turns improves customer/client relationships.
What happens if an organisation does not comply?
On multiple levels organisations will be negatively impacted by their non-compliance.
- Enforcement notices can prevent an organisation from continuing to process personal information, bringing an entire organisation or a large section thereof to a complete standstill.
- Breach of privacy incidents can lead to a complete shutdown while a forensic investigation is being conducted.
- Both these instances will lead to loss of revenue.
- Privacy breaches will negatively impact an organisation’s reputation. This in turn will lead to a loss of clients/customers and the further loss of revenue.
- Incidents will affect an organisation’s share price.
- Incidents will also lead to fines, penalties and lawsuits, each of which will have an economical impact on the organisation. The GDPR prescribes a penalty of up to €10 million or 2% of an organisation’s global turn over, whichever is higher. Although POPI is yet to prescribe the exact penalties, global tendencies indicate that we can expect as stringent penalties and consequences.
- Non-compliance will affect an organisation’s ability to compete effectively. In turn, this will lead to eventual closure of the organisation, especially if this strategic impact is combined with any of the above consequences.
Although not all provisions of the POPI Act have come into effect, organisations can already start taking steps towards compliancy. By taking these steps now, organisations will be compliant long before the deadline’s arrival, providing them with an advantage over their competitors.
As a start, organisations can:
- Conduct a Privacy Impact Assessment on their entire organisation, or a specific process or project of their organisation, to determine:
- the privacy risks inside the organisation or within the specific process or project;
- the level of compliance with the Data Protection legislation applicable to the organisation; and
- the actions to be taken to close the gap between the current status and compliance.
- Review all agreements, including employment agreements, third party agreements and client or customer agreements to ensure you are not only compliant but also protected against the event where another party’s actions leads to a data breach.
- Draft a Data Protection Policy for the organisation and, more specifically, your employees.
- Execute regular training to increase awareness of Data Protection in the organisation that will in turn increase compliance and prevent any of the negative consequences noted above.