Data Privacy and Data Governance

Protection of Personal Information Act

The Protection of Personal Information Act (PoPIA) was promulgated in 2013 and requires companies to take adequate precautions against data loss. In addition, the Act requires that companies take urgent steps to notify both the Regulator and the data subject of any breach.

The Act allows plaintiffs to seek damages for compensation for losses suffered as the result of a breach, along with aggravated damages and interest.

Global Data Protection Regulations

In Europe, the Global Data Protection Regulations (GDPR) are similar regulations affecting business holding data related to EU citizens. Many larger South African firms are directly affected, as they do business with, and in EU countries. GDPR requires that breaches must be reported within 72 hours to allow the injured party to take precautions.

We should also remember that many other African countries have their own similar laws. Companies doing business in the rest of Africa should understand the implications of managing data that may shift from jurisdiction to jurisdiction, and ensure that adequate governance in is in place to ensure compliance.

Failure to comply has consequences

The legal consequences for noncompliance – such as a breach – may range from civil suits, to criminal charges, fines and even prison sentences.

The reputational impact, should also not be underestimated, Would you continue to do business with a company that lost or sold your personal identifiers or contact details to unknown third parties?

(are you ready for GDPR? Take Collibra’s snap quiz)

Data Governance is a necessity

GDPR and PoPIA signal a shift in how we think about data privacy. These acts move the focus away from the data – those bits and pieces of information typically flagged for privacy – to focus instead on the fundamental rights of the data subjects.

PoPIA requires that organisations put processes in place to ensure that data is only used for the purpose for which it was intended, that data is protected from unauthorized access, and that there is accountability for how data is used within the business.

At its core, PoPIA requires that sound data governance principles are proven to have been in place throughout the life cycle of personal data.

The key requirements of PoPIA are summarized below and linked to their applicability at different stages of the data life cycle.

Accountability

Responsible party to ensure conditions for lawful processing
Processing Limitation
Lawfulness of processing

Processing Limitations

Consent, justification and objection
Collection directly from data subject

Purpose Specification

Collection for specific purpose
Retention and restriction of records

Further Processing Limitation

Further processing to be compatible with purpose of collection

Information Quality

Quality of information

Openness

Documentation
Notification to data subject when collecting personal information

Security Safeguards

Security measures on integrity and confidentiality of personal information
Information processed by operator or person acting under authority
Security measures regarding information processed by operator
Notification of security compromises

Data Subject Participation

Access to personal information
Correction of personal information
Manner of access

Collibra Data Governance Center

In the EU, the impending deadlines related to GDPR have driven investment in tools like the Collibra Data Governance Center – which automates the complexity of governing enterprise data.

The Collibra DGC helps your staff to find, understand and trust tour data, provides graphical views of how data flows between systems or across borders, automates critical data governance processes with off the shelf workflows, and proves that the organisation has taken steps to hold staff accountable for compliance to privacy laws.

In South Africa we are still largely focussing on just ojne of the seven pillars – data security

It is time to take data governance seriously!