SA preparing to enforce some of the strictest data protection laws in the world
Following the signing of the Protection of Personal Information (POPI) Act back in November 2013, the South African government has spent the last year establishing its own information regulator. The new office will be responsible for monitoring public and private organisation’s use and protection of customer data, as well as enforcing compliance.
While many experts believe the Regulator is still 12-18 months from being fully established and funded, its setup comes in the wake of business consultancy Sage South Africa’s research, which found that one of the most prevalent challenges for small and medium-sized businesses in 2017 was collecting customer e-mail addresses and data.
As South Africa is about to switch from almost no regulation some of the world’s strictest data protection laws, it is important leaders be aware of the changes being imposed, and the consequences for failing to ready their policies in time.
Why collect customer data?
The more personal the information collected, the more accurately businesses can market to their customer base. Furthermore, it is increasingly common for businesses to sell the customer data they collect to third parties. The business makes money, while the third parties are able to use the data to market their goods and services to customers they would otherwise not have access.
Typically, businesses seek for users to join their mailing list. With personal information – information which can be used to identify a person – such as their name, e-mail address and birth date, businesses can advertise to users directly. Also, customer data is frequently gathered from a user’s social media page, or, more traditionally, brick-and-mortar stores might ask users to leave their details when completing a form or survey.
While most businesses tend to limit themselves to personal or transactional data, some, like insurance or health care organisations, seek sensitive personal data, such as genetic data, religious and political affiliations, sexual orientation, etc.
What are the legal requirements for protecting data?
The legal requirements for data protection tend to change from country to country. The South African government primarily consulted Germany and the UK when establishing the POPI Act, which was partially brought into force in 2014. As a result, South Africa’s data protection rules closely follow the EU’s GDPR (General Data Protection Regulation), which is due to be enforced across the EU as of May 25, 2018.
The regulations require that businesses get consent from customers before taking and storing data, and that consent must be given voluntarily. While the UK and the EU already have data protection regulations in force, the GDPR has been designed to ensure businesses are more responsible with customer data, comply with security requirements, and to make it easier for users to know what data businesses are storing about them and why. Under current rules, businesses across Europe can charge users for requesting their data, while the GDPR will ensure this is not only free, but that companies will need to comply within a month of receiving the request.
Companies with 250 employees or more will need to keep documentation explaining why data is being taken and stored, as well as detailing policies about how the information will be used, how long it will be kept, and what technical security measures will be in place to prevent data breaches.
Typically, this is done using some form of encryption, which ensures anyone accessing data without the encryption key will only be able to view the data as an intelligible jumble of letters and symbols. There are even customer relationship management packages, like Zoho, which help companies to manage and utilize customer data while ensuring GDPR-appropriate encryption. However, business owners should be wary of outsourcing customer data management, as they will still be held responsible for any breach of regulations.
Large companies which monitor user data regularly and systematically will be required to employ a data protection officer, who will work with each nation’s Regulator to ensure company compliance.
Regulator offices will be responsible for ensuring company compliance, and while businesses have a grace period to organize themselves and most regulator officials will work with companies to establish compliance, the GDPR will allow for fines of up to €10 million or 2% of a firm's global turnover for non-compliance.
While many of these regulations are still to be confirmed and enacted in South Africa, fines have been limited to 10 million rand, although serious offences can be punished by up to 10 years in prison.
Another exception for South African businesses is that the Act also covers juristic persons, which includes companies and trusts, while the GDPR only covers people. Thus, South African businesses need to ensure organisational data meets the same levels of protection as personal data.
As the government moves closer to finalising the Information Regulator, the POPI Act will begin to be enforced. Businesses should begin preparing their data protection policies and security systems to ensure they are not punished later.
Definitions of personal information and sensitive personal information: https://gdpr-info.eu/art-4-gdpr/
POPI Act & SA Information Regulator: https://uk.practicallaw.thomsonreuters.com/5-503-0787?transitionType=Default&contextData=(sc.Default)&firstPage=true&bhcp=1 | https://iapp.org/news/a/introducing-south-africas-first-dpa/ | https://iclg.com/practice-areas/data-protection/data-protection-2017/south-africa | https://www.entrepreneur.com/article/226456
GDPR: http://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018 | eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML