fbpx

IP/IT Law: Protection in the Age of Information

Protection in the Age of Information

“It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public.” – Clay Shirky, Internet Scholar and Professor at NYU

What is Data Protection?

Data Protection is the process of safeguarding important information from corruption, compromise or loss. It is important to note that data protection is not limited to the protection of personal information, and may include confidential information, trade secrets and other sensitive information. For the purpose of this discussion, we will focus on the protection of personal information, including but not limited to the personal information of organisations’ customers, clients and employees.

What Data Protection Legislation is relevant for businesses in South Africa

For South African organisations the following legislation is specifically applicable:

Protection of Personal Information Act 4 of 2013 (“POPI”) is South Africa’s Data Protection legislation. While some sections of POPI are already in effect, the majority of sections still need to be promulgated; it is expected to be within this year. POPI is applicable to the protection of personal information of both natural and juristic persons, which differentiates it from the GDPR, below. Once fully in effect, organisations will have one year to comply with POPI in its entirety.

General Data Protection Regulations (“GDPR”) is the European Union’s Data Protection legislation. In contrast to POPI, it is not jurisdictionally limited. Whereas POPI’s application is limited to South Africa’s borders, the GDPR is applicable to the personal information of EU citizens, irrespective of where their personal information is being processed or controlled. Consequently, the South African organisation that processes the personal information of EU citizens may also need to comply with the GDPR.

How does one protect personal information?

Poet and essayist John Perry Barlow stated that relying on the government to protect our privacy is like asking a peeping tom to install your window blinds. Whereas Mr. Barlow has a point in that we must take responsibility for protecting our privacy, we are also in the fortunate position where governments have enacted legislation (as noted above) that guide us on how to deal with the privacy (personal information) of others as well as empowering us to know how others may deal with our personal information. In terms of the above legislation, both define exactly what constitutes personal information and provides conditions/principles regarding what personal information may be collected, processed, stored and protected. Fortunately, there is a great overlap between the two, with the GDPR providing additional rights to data subjects, such as the right to be forgotten. However, legislation is not the only guide for the protection of personal information. Organisations should also refer to certain International Standards to guide them on aspects such as security and data protection. International Standards such as ISO/IEC 27001/2 and 27017 are useful standards that ensure that an organisation limits the potential risks of privacy infringement.

Why is Data Protection important?

The digital environment in which we live has brought with it multiple advantages, but it also poses a threat to our privacy. As technology advances, the amount of data created and stored continues to grow at unprecedented rates. It is also becoming increasingly easy to access this data. The use of mobile location tracking, something the Government is putting to use during the COVID-19 pandemic, is a good example of how easy it is to access personal information and, without stating the obvious, how quickly potential privacy risks arise when the information is utilised for other purposes by the government or third parties.

Complying with Data Protection legislation has a further positive effect of:

  • Setting an organisation up as a market differentiator, and
  • Building customer/client trust, which in turns improves customer/client relationships.

What happens if an organisation does not comply?

On multiple levels, organisations will be negatively impacted by their non-compliance.

Operational:

  • Enforcement notices can prevent an organisation from continuing to process personal information, bringing an entire organisation or a large section thereof to a complete standstill.
  • Breach of privacy incidents can lead to a complete shutdown while a forensic investigation is being conducted.
    Both these instances will lead to loss of revenue.

Reputational:

Privacy breaches will negatively impact an organisation’s reputation. This, in turn, will lead to a loss of clients/customers and the further loss of revenue.

Financial:

  • Incidents will affect an organisation’s share price.
  • Incidents will also lead to fines, penalties and lawsuits, each of which will have an economical impact on the organisation.
  • The GDPR prescribes a penalty of up to €10 million or 2% of an organisation’s global turn over, whichever is higher.
  • Although POPIA is yet to prescribe the exact penalties, global tendencies indicate that we can expect as stringent penalties and consequences.

Strategic:

Non-compliance will affect an organisation’s ability to compete effectively. In turn, this will lead to the eventual closure of the organisation, especially if this strategic impact is combined with any of the above consequences.

What to do?

Although not all provisions of the POPI Act have come into effect, organisations can already start taking steps towards compliance. By taking these steps now, organisations will be compliant long before the deadline’s arrival, providing them with an advantage over their competitors.

As a start, organisations can:

Conduct a Privacy Impact Assessment on their entire organisation, or a specific process or project of their organisation, to determine:

  • the privacy risks inside the organisation or within the specific process or project;
  • the level of compliance with the Data Protection legislation applicable to the organisation; and
  • the actions to be taken to close the gap between the current status and compliance.

Review all agreements, including employment agreements, third party agreements and client or customer agreements to ensure you are not only compliant but also protected against the event where another party’s actions lead to a data breach.

Review existing Privacy Policies, where applicable, to ensure compliance. Where no Privacy Policy exists, to draft an appropriate Privacy Policy. Draft a Data Protection Policy for the organisation and, more specifically, your employees.

Execute regular training to increase awareness of Data Protection in the organisation that will, in turn, increase compliance and prevent any of the negative consequences noted above.

For more guidance and assistance in Data Protection, you can contact our Information Technology Department.

Gerrie van Gaalen at gvgaalen@dkvg.co.za


Ingrid Opperman at iopperman@dkvg.co.za

This article is for general information purposes and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us At DKVG Attorneys for specific and detailed advice.