Data privacy law in South Africa and Europe is built on the foundations of human rights. Regulations such as the Protection of Personal Information Act (Popia) in South Africa and the General Data Protection Regulation (GDPR) in the European Union are the legal walls that uphold these principles.
These laws and their approaches underpin perhaps one of the most critical points that every South African organisation should be considering right now – how to embed data privacy within company and culture. As Brendon Ambrose, GM of data privacy at Atvance Intellect, points out, it may sound like the softer side of compliance compared to anti-money laundering or corporate governance, but it has risen to the fore over the past three years.
“It comes down to one broadly philosophical question: How does your organisation want to treat others and society?” he asks. “This is an essential question because it defines the contract of social trust between business, government and citizens and the type of society that you want to live in.”
Data privacy is treated differently in different countries. In South Africa, it’s part of human rights. In the US, the protections are far less robust, and the concern is more around consumer protection and how organisations can monetise your data. This distinction may not seem like much on the surface, but it is becoming increasingly sticky as data flows across continents and countries. In Europe, the recent Schrems II case, one with a very long and complicated back story, found that the US allowing for digital surveillance was in direct conflict with the rights given to European citizens around privacy and data protection, the implications of which have yet to be fully understood when considered in light of data privacy, data transfer and social media.
“Every company today is a data company, whether they like it or not, and whether you hold the data yourself, or you use a CRM platform,” says Ambrose. “This means that cross-border data exchange and storage is very likely and, if not managed correctly, you run the risk of falling foul of data privacy regulations in one region, which could have far-reaching consequences.”
So, what exactly is personal data? Before the conversation gets ethical and convoluted, this is perhaps the best place to start. The answer is simple: any data that relates to an individual and that can be identified as being linked to that individual. Protecting this data, and individual identity, has become both a regulatory and ethical requirement for all organisations today.
“Ensuring the privacy of customer data is a provision of corporate responsibility,” says Ambrose. “You have to do it – if you don’t, you can soon be fined and suffer reputational loss. But if you do, the social impact is really positive. It shows your customers that you respect them, and it improves society as a whole. You want your clients to trust you, you want to build relationships. This is the real commercial benefit of investing into data privacy.”
At the core of data privacy within the organisation lies the obligations to the letter of the law, to acts such as Popia and GDPR. In terms of the former, as of 1 July 2021, the runway for compliance runs out. South African organisations will be held accountable and data privacy will become integral to the culture of companies by law. However, what this really comes down to, Ambrose believes, is a sense check.
“Everyone has a different limit for privacy, what they are willing to put out there,” he adds. “Some people are comfortable with a lot, others with a lot less. Companies need to understand what data they have, and how they have to protect it. They need to also be mindful of the data they are collecting on a cultural level – both internally as an organisation, and externally in terms of location. Perhaps the best rule of thumb should be to treat customer data as if it were your own.”
Most people want their data to be handled properly and fairly. This is not a complicated ask and is one that most organisations can achieve if they follow best practice and embed a culture of data privacy within the company. It is not an insurmountable problem to overcome and if an organisation isn’t ready for Popia, or hasn’t considered the subject before, it’s a task that should be approached methodically. Follow the principles of the law, treat the data as if it were your own, and pay attention to changes in regulation and approach.
“Work with a trusted partner who can help you to comply in the right areas, who understands what your company needs to become compliant, and who will save you money in the long term,” concludes Ambrose. “That way you’re in a good place and ready to tackle the world of data and privacy with confidence.”
- This promoted content was paid for by the party concerned