It’s Tuesday, 6th July 2021. PoPIA is in full effect after a grace period of one year. And yet, people are still struggling to understand the implications.

The Protection of Personal Information Act places data privacy first.

This means that the rights of data subjects – the prospects, customers, employees, vendors and partners whose data we collect – must be taken seriously when collecting and processing personal information.

Data privacy can be defined as the right (of individuals and legal entities) to have control over how their personal data is collected and used.

What is personal information?

Personally Identifiable Information (PII) is any data (like an ID number or email address) that can be used to identify an individual. While this is the definition in common use in the US, personal data goes beyond this constraint to cover any data linked to a person.

South Africa’s PoPIA defines personal information as:

“information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;”

The difference between personal information and data privacy

While the above definition of personal information may seem vast, it is self-contained.

From a data management perspective, data privacy is much more difficult to define because it is context-sensitive. Sometimes particular data (or data sets) are private, and in other contexts, it is not.

For example, if I am dealing with my doctor I would like them to have full access to my medical history. On the other hand, I would not want this to be shared with the general public.

This means that, in order to comply with data privacy regulations like PoPIA is not enough to identify personal information. We also have to capture the context of how this data is being used, by whom, and for what purpose.

The key data management challenge is ensuring that we are transparent with our data subjects as to why we are requesting their data and that we limit access to data based on these agreed purposes.

In order to achieve this we need to understand the context of where personal data is being used – something that is difficult to achieve in large organisations

Achieving compliance

To protect and manage data assets and ensure compliance and data privacy, organisations require an automated data stewardship platform that brings data governance, data catalogue, data lineage and data privacy management together and provides the necessary context and oversight.

With audit controls and data monitoring to track required actions, security protocols and retention policies, organisations with the right platform can provide automatic alerts for potential violations to ensure privacy and compliance. The same platform should facilitate an audit of business processes dealing with personal data to identify and manage compliance, operational and reporting gaps. Users can visually display these processes and connect related business terms, reports and rules to the appropriate steps so everyone has a common understanding of affected data assets.

Data governance that includes a data catalogue and data lineage provides accountability for data ownership and the ability for organizations to know where data is located and how it is being used. As a result of putting governance practices in place and using the appropriate tools, organizations improve the security and transparency of data usage, keep private information private and have a strategy for achieving data privacy compliance.

FAQ about Data Privacy

What is data privacy?

Data privacy refers to the protection of personal information that individuals share online or offline. It involves the collection, use, storage, and sharing of personal data in a manner that is lawful, ethical, and respectful of individual rights.

What are some examples of personal data?

Personal data includes any information that can be used to identify an individual, such as name, email address, phone number, address, social security number, date of birth, medical records, financial information, and browsing history.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a European Union (EU) law that came into effect in 2018. It sets out rules and standards for the collection, use, and storage of personal data of individuals in the EU, with the aim of protecting their privacy rights.

What is the Protection of Personal Information Action (PoPIA or PoPI)?

The Protection of Personal Information Action (PoPIA or PoPI) is a South African law that came into effect in 2021. It sets out rules and standards for the collection, use, and storage of personal data of South African individuals and legal entities, with the aim of protecting their privacy rights.

Who is responsible for protecting data privacy?

Everyone has a role to play in protecting data privacy. Individuals should be mindful of what information they share and with whom. Businesses and organisations are responsible for collecting, using, and storing personal data in a secure and lawful manner. Governments and regulators have a role in setting standards and enforcing laws that protect data privacy.

What is an Information Officer?

An Information Officer ensures that an organisation complies with PoPIA, responds to data protection inquiries, and acts as a point of contact for individuals whose data is being processed, amongst other responsibilities

What is a privacy policy?

A privacy policy is a statement or document that outlines how a business or organisation collects, uses, and stores the personal data of individuals. It also explains how individuals can exercise their privacy rights.

What are some best practices for protecting data privacy?

Some best practices for protecting data privacy include: collecting only the minimum amount of personal data necessary, obtaining consent for data collection and use, using encryption and other security measures to protect data, regularly reviewing and updating privacy policies and procedures, and training employees on data privacy practices.

What are some common privacy violations?

Some common privacy violations include: collecting more personal data than necessary, failing to obtain consent for data collection and use, using personal data for purposes other than what was specified, failing to implement adequate security measures to protect data, and failing to respond appropriately to data breaches.

What is a data breach?

A data breach is a security incident in which personal data is accessed or disclosed without authorisation. Data breaches can occur due to cyber attacks, system errors, or human error. They can lead to identity theft, financial loss, and other harms.

What should I do if my personal data is breached?

If your personal data is breached, you should take the following steps: (1) notify the organisation or business that experienced the breach; (2) monitor your accounts and credit reports for any unusual activity; (3) consider placing a fraud alert or freeze on your credit; and (4) report any suspicious activity to the relevant authorities.

image source pxfuel