With the average cost of a data breach in South Africa reaching R49,5 million in 2023, consent, notice, and regulatory obligations cannot be ignored. Data privacy is a human right that must be part of enterprise culture.
The purpose of personal data protection is to protect the fundamental rights and freedoms of persons and companies that are related to that data
Data Privacy is concerned with the Proper handling of Data
Data privacy is the right of a citizen to have control over how personal information is collected and used.
Data protection is a subset of privacy. This is because protecting user data and sensitive information is the first step to keeping user data private.
Data Privacy regulations relevant to South African businesses
GDPR
The European Union is widely regarded as the leader in protecting the data privacy rights of its citizens with its General Data Protection Regulation (GDPR).
The Regulations protect European Union citizens' personal data around the world, making the regulation a benchmark for compliance around the world, and in particular for any business that may capture personal data related to any EU citizen. In practice, this means any almost company that has a website is subject to GDPR.
PoPIA
South Africa's data privacy regulation, the Protection of Personal Information Act (PoPIA) extends the definition of a citizen to include any juristic person.
This means that our data privacy bill protects against the abuse of sensitive data related to individuals (like customers and employees) and companies (suppliers and partners).
Other Countries
A few other African countries, including Nigeria, Kenya, Uganda and Zimbabwe also have their own data privacy regulations. Others are in the process of defining their regulations. In practice, most large organisations will have to comply with many regulations.
The number of regulations will increase as more countries add their interpretations. Sound data governance and data management practises should make it easy to meet compliance requirements and quickly adapt existing policies to prove compliance with additional regulations as these become relevant.
Ensuring data privacy requires sound data management practices
Whilst legal compliance is of course essential, the bulk of the effort of ensuring PoPIA compliance is built around ensuring sound data management practices throughout the data life cycle.
Data privacy is built upon a foundation of accountability.
In larger organisations, accountability means defining and sharing clear policies for the use of personal data, and ensuring that these policies are followed throughout the organisation.
Policies can be linked to specific business processes and systems, to link individual actions to the underlying data and ensure that privacy is not infringed. A governed data catalogue can be an invaluable tool for tracking and sharing (and to external auditors and regulators) the details of your policies within the organisation, and for putting these into the context of actual data use.
Locate and document personal data
To protect personal data, we need to understand where it is captured and stored, and for what purpose.
This can be a very large challenge, particularly for larger organisations. The use of automated scanners to locate PII and other sensitive data can be extremely helpful to Impact Assessments, Risk Assessments, Data Cataloguing and Classification exercises
Data security
Once data is secured we need to protect it from both internal and external threats.
Whilst it may be tempting to focus on securing the perimeter of the organisation, many cases of abuse of personal data are internal. Managing data privacy effectively requires a nuanced approach to data security - ensuring role-based access to individual fields based on the user's processing purpose. Blending technology such as masking, encryption and user behaviour analytics ensures the granular level of security needed to ensure the data subject is protected.
Monitoring
A final piece in the puzzle is to monitor data access for suspicious activity.
Many breaches have occurred through the illegal activities of legitimately authorised users. By monitoring user activity and access, and flagging unusual or suspicious activities for further investigation, we minimise the risk of abuse.
FAQ
What is data privacy?
Data privacy refers to the protection and proper handling of sensitive or personal information that an individual or organisation holds. It involves ensuring that data is collected, stored, processed, and used in a way that respects an individual's privacy rights, and that appropriate measures are in place to prevent unauthorised access, use, or disclosure of this information.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a European Union (EU) law that came into effect in 2018. It sets out rules and standards for the collection, use, and storage of personal data of individuals in the EU, to protect their privacy rights, and it applies to any organisation dealing with the personal data of an EU citizen.
What is the Protection of Personal Information Action (PoPIA or PoPI)?
The Protection of Personal Information Action (PoPIA or PoPI) is a South African law that came into effect in 2021. It sets out rules and standards for the collection, use, and storage of personal data of South African individuals and legal entities, to protect their privacy rights. We help organisations achieve PoPIA compliance through sound data management.
What is the difference between data privacy and data security?
Data privacy refers to the protection of personal information or sensitive data from unauthorized access or use. It is the right of individuals to control how their personal information is collected, used, and shared.
Data security, on the other hand, refers to the measures taken to protect data from unauthorized access, theft, or damage. It includes the use of technologies and processes to ensure the confidentiality, data integrity, and availability of data.
What is a privacy policy?
A privacy policy is a statement or document that outlines how an organisation collects, uses, and manages personal information that is collected from individuals who interact with the organisation. It explains what data is collected, how it is used, who it is shared with, and the measures taken to protect the privacy of that data. The purpose of a privacy policy is to inform individuals about how their personal information is being used and to establish data transparency and trust between the organisation and its customers or users.
What is a data breach?
A data breach is an incident where sensitive or confidential information is accessed, viewed, stolen, or used by an unauthorized individual or entity. This can occur due to various reasons such as hacking, employee error, lost or stolen devices, or other forms of malicious activity. Data breaches can result in the compromise of personal information, financial loss, reputational damage, and legal consequences for both individuals and organisations
What are the consequences of a data breach?
The consequences of a breach can be severe and wide-ranging. Some of the immediate consequences include loss of sensitive data, financial losses, damage to reputation, and legal liabilities. The loss of sensitive data can lead to identity theft, fraud, and other forms of cybercrime, resulting in financial losses for both individuals and organisations. The damage to reputation can result in loss of customers, revenue, and trust, and may take years to recover. Legal liabilities can arise from breach of data protection laws, resulting in fines, legal action, and potential criminal charges. In addition to the immediate consequences, a data breach can also have long-term effects on an organisation's operations and financial stability.
References
IBM, Cost of a Data Breach Report, 2023