Personal data protection, more than the latest buzz term

23 September 2020

The importance of data privacy has enjoyed increased airtime on various channels over the past couple of years. And with good reason.

The collection of personal information and data, and the management thereof, could result in costly consequences if not managed ethically.  Beyond the ethical consideration, personal information should be handled within legal boundaries to protect the organisation responsible for processing it as well as the data subject (which may include clients, customers, employees, suppliers) consenting to share it with the organisation.  

Let’s have a look at why organisations should understand their responsibility when collecting personal information.  

Data privacy and personal information protection as an extension of privacy

Let’s take a step back to remind ourselves that privacy is an inherent human right. In fact, it is protected by the South African Constitution. The right to personal information privacy – whether the data belongs to private individuals or an organisational entity is an extension of privacy that data subjects are already rightfully entitled to.

Organisations are therefore obligated to protect personal information using the highest standard of checks and balances, not just because it is an ethical consideration, but also because this right is now protected by the law in the form of the Protection of Private Information Act 2013 (POPIA).

Privacy catching up with the Internet

The Economist points out that “what used to be non-sensitive data, has in the age of big data effectively been converted into sensitive information.” One could credit the age of big data with forcing the public and governments alike to stand up in protection of data subjects.

According to The Economist, the year 2018 will be remembered as the year in which privacy law finally started catching up to the Internet. During this year allegations came to the fore that voters in the British referendum and US elections allegedly were unduly influenced primarily on social media with the intention of dividing voter sentiment. One should keep in mind that the right to a free and fair democratic election is another constitutional right and enjoys protection by law.

One way to think of it, and as so poignantly pointed out in Netflix’s documentary The Social Dilemma, “if you don't pay for the product – you are the product.”

The controversial and much-talked-about documentary puts forward a compelling argument that, whether you are overtly aware of it or not, technology companies and social media networks may pose a very real threat to data subjects when operating with limited regulations.

A landscape of distrust

Customers are becoming more aware of their right to have their personal data protected before they agree to willingly supply organisations with it.  With the real threat of data breaches and media reports of cases where personal information has been misused, customers are beginning to display a higher level of awareness.

The University of South Africa conducted a survey among South Africans to measure consumer privacy expectations and confidence. The study found that about 64% of the participants knew someone whose personal information has been misused. Furthermore, 83% of the 1 007 participants canvassed indicated that they are concerned about the protection of their data, and about 94% reported concern about safeguarding their identity.

It comes as no surprise that the way in which organisations are using the data they collect influences consumer behaviour directly. A 2017 study by Martin, Borah and Palmatier published in the Journal of Marketing,  explores how customers’ perception of their data vulnerability drives their responses to firms’ efforts to collect and use their data. It found that customers feel much more at ease with providing their personal information if the organisation is transparent in how they plan to process this data or when they are given control over the manner in which they provide their information.

Protect personal information within these guidelines

The collection and management of personal information will be completely subjected to regulations when the grace period for organisations to comply with the POPIA comes to an end in July 2021. Leading up to this, organisations are starting to feel increased pressure to ‘do it right’ when it comes to data protection.

Ridwaan Boda, a globally recognised expert in the field of data privacy law and partner at top-tier law firm ENSafrica, explains that compliance with data privacy laws really shouldn’t be a hard sell to Boards and management, especially when you put yourself in the position of anyone affected by a data breach or misuse of personal information. He says four basic principles apply when organisations are handling personal information:

  1. Treat all personal information securely and keep it safe.
  2. Don’t use the information for purposes it wasn’t intended for.
  3. Don’t overshare the information.
  4. Be careful when dealing with personal information.

There hasn’t been a better time than now to take the first step in becoming responsible stewards of the personal data entrusted to organisations – bot legally as well as practically. It is no small feat and requires a multi-disciplinary team that understands the landscape, legislation and practical aspects.

Kriel & Co and ENSafrica offer a multidisciplinary offering to tie three interlinking elements together – the law, technology and the change management consulting organisations need to adapt their way of working and tie these elements together. Relying on one discipline alone will most likely not be sufficient.

Contact the team if you are interested to learn more about the next steps needed to create a holistic, end-to-end data protection solution that incorporates the law, technology and your own tailor-made change management journey.