In South Africa, as around the world, companies and consumers observed Data Privacy Day at the end of January. Given the timing of the event in the annual calendar, it’s a great opportunity for organisations to remind themselves of their obligations to protect customer privacy over the coming year. In doing so, they will need to remember that privacy and security are two sides of the same coin.

This is increasingly important in the context of South Africa’s privacy law, the Protection of Personal Information Act (Popia). With large fines and potential jail sentences in the offing for non-compliance, the threat of reputational, financial and criminal risk for domestic firms has never been greater.

The story so far

Data Privacy Day celebrates the day in 1981 when Convention 108 was signed, heralding the first legally binding international treaty governing privacy. Yet, for decades after that date, consumer interest and awareness about privacy rights were limited. These carried over into the early days of the Internet, when personal information was freely acquired by a new breed of consumer tech company and then resold to advertisers and shadowy third parties, often without the individual’s knowledge.

That’s part of the reason why Europe’s GDPR was created. The first-of-its-kind legislation defined a swathe of new privacy rights for citizens, or “data subjects”, and demanded that the companies that they interacted with online respected these rights. Now the world, including South Africa, has followed suit. Gartner estimates that by 2023, 75% of the global population will be covered by modern privacy laws like GDPR.

That’s where Popia comes in. It establishes nine data subject rights, including the right to know what data a company holds on an individual, the right to have inaccuracies corrected and data deleted, and the right not to have personal information processed as part of direct marketing. As per the GDPR, it also establishes the conditions for lawful data processing – including accountability, openness, completeness of information and security safeguards.

This year’s Data Privacy Day marked just over 18 months since Popia became enforceable. And while the intervening time has been largely a time for the Information Regulator to educate organisations about their responsibilities, there are signs that the grace period may be coming to a close. According to law firm Bowmans, the regulator “has indicated that it will not hesitate to show its teeth going forward and it is foreseeable that we may witness the first fine or penalty imposed under Popia this year”.

Security and privacy: better together

This should be viewed as an opportunity, rather than yet another compliance burden for boards to manage. In fact, cyber executives are increasingly viewing data privacy laws and regulations as an “effective tool for reducing cyber risks … despite the challenges associated with compliance”, according to the World Economic Forum. But to improve privacy protections, those same executives must begin by enhancing security.

Why? Because you can have security without privacy, but never privacy without security. Privacy is the right for data subjects to control how their personal information is collected, stored and used. Fail to secure this data and others could access and use it unlawfully. In these terms, data security is an essential prerequisite for protecting customers’ privacy rights. It’s telling that the name for data privacy day in the EU is Data Protection Day. Without adequate “technical and organisational measures” as cited in Popia, true data privacy will always be out of reach.

Unfortunately, South African organisations are struggling to fulfil their obligations. A report from Surfshark ranks the country sixth globally in terms of cybercrime “density” – claiming it has 52 victims per one million Internet users. It’s also one of the highest in Africa in terms of breach density – with between five and nine breached e-mail accounts per 100 users.

Start with data security

That’s why data-centric security must be an essential building block for privacy-first organisations. According to Popia, South African organisations must “establish and maintain appropriate safeguards” against the loss or damage of or unlawful access to personal information. What better way to do this then by applying strong protection to personal information stored by the organisation in the form of tokenisation or encryption?

By doing so, boards have the peace of mind that even if malicious actors manage to access their customers’ data, it will be useless to them. Even better, they can scramble this information while still being able to use it for data analytics and other growth opportunities.

Data Privacy Day has passed now for another year. But its lessons should resonate throughout South African businesses in 2023. It’s better to take action now to protect customer and employee personal information than be caught out in the future.

About comforte AG
Comforte AG has evolved into a market leader for data security and cloud-native tokenisation. Combining our experience in securing data in motion and rest, we took our portfolio one step further and created a “Data Security Platform” that seamlessly integrates into the most modern cloud-native environments as well as traditional core systems. Now more than 500 enterprises, including many Fortune 500 organisations, rely on comforte AG’s solutions to secure their data. With offices in Germany, the US, Singapore and Australia, comforte AG has a global reach.