- An act of breaking or failing to observe a law, agreement, or code of conduct.
- A break in relations.
- A gap in a wall, barrier, or defence, especially one made by an attacking army\
Last week’s revelation that the personal information of over 30 million South African has been compromised. The exposure places millions of South Africans at significant risk of identity theft and related cyber crime.
Ironically, just last week we posted that the regulatory need to protect sensitive data is a key driver for data governance
Data Privacy and Data Governance
The Protection of Personal Information Act (PoPIA) was promulgated in 2013 and requires companies to take adequate precautions against data loss. In addition, the Act requires that companies take urgent steps to notify both the Regulator and the data subject of any breach.
The Act allows plaintiffs to seek damages for compensation for losses suffered as the result of a breach, along with aggravated damages and interest.
In Europe, the Global Data Protection Regulations (GDPR) are similar regulations affecting business holding data related to EU citizens. Many larger South African firms are directly affected, as they do business with, and in EU countries. GDPR requires that breaches must be reported within 72 hours to allow the injured party to take precautions.
We should also remember that many other African countries have their own similar laws. Companies doing business in the rest of Africa should understand the implications of managing data that may shift from jurisdiction to jurisdiction, and ensure that adequate governance in is in place to ensure compliance.
Failure to comply has consequences
The legal consequences for noncompliance – such as a breach – may range from civil suits, to criminal charges, fines and even prison sentences.
The reputational impact, should also not be underestimated, Would you continue to do business with a company that lost or sold your personal identifiers or contact details to unknown third parties?
(are you ready for GDPR? Take Collibra’s snap quiz)
GDPR and PoPIA signal a shift in how we think about data privacy. These acts move the focus away from the data – those bits and pieces of information typically flagged for privacy – to focus instead on the fundamental rights of the data subjects.
PoPIA requires that organisations put processes in place to ensure that data is only used for the purpose for which it was intended, that data is protected from unauthorized access, and that there is accountability for how data is used within the business.
At its core, PoPIA requires that sound data governance principles are proven to have been in place throughout the life cycle of personal data.
The key requirements of PoPIA are summarized below and linked to their applicability at different stages of the data life cycle.
- Responsible party to ensure conditions for lawful processing
- Processing Limitation
- Lawfulness of processing
- Consent, justification and objection
- Collection directly from data subject
- Collection for specific purpose
- Retention and restriction of records
Further Processing Limitation
- Further processing to be compatible with purpose of collection
- Quality of information
- Notification to data subject when collecting personal information
- Security measures on integrity and confidentiality of personal information
- Information processed by operator or person acting under authority
- Security measures regarding information processed by operator
- Notification of security compromises
Data Subject Participation
- Access to personal information
- Correction of personal information
- Manner of access
In the EU, the impending deadlines related to GDPR have driven investment in tools like the Collibra Data Governance Center – which automates the complexity of governing enterprise data.
The Collibra DGC helps your staff to find, understand and trust tour data, provides graphical views of how data flows between systems or across borders, automates critical data governance processes with off the shelf workflows, and proves that the organisation has taken steps to hold staff accountable for compliance to privacy laws.
In South Africa we are still largely focussing on just ojne of the seven pillars – data security
It is time to take data governance seriously!