With the European Union having recently passed Article 13, concerns around data privacy and how the internet is policed have cropped up once again.
While we wait for each of the EU member states to outline their own unique laws around Article 13, closer to home there is still the issues of PoPIA (Protection of Personal Information Act) and GDPR General Data Protection Regulation) to consider.
Looking at both pieces of legislation is Lee Naik, CEO of TransUnion Africa, and in particular focusing on how they potentially impact the data privacy of your business.
Acknowledging that data privacy is a highly complicated subject, Naik also stresses the importance for more conversations to be had around both PoPIA and GDPR, especially as he fields questions from concerned CEOs across the country.
What are people asking?
When asked about the importance of data privacy, Naik points to how it can often limit the power and control an organisation has.
“At its heart, privacy is a limit on government power, as well as the power of private sector companies. The more someone knows about us, the more power they can have over us,” he says.
“We know that personal data is used to make very important decisions in our lives – from what financial products we get approved for to the kind of medical treatment we get. In the wrong hands, personal data can be used to cause us great harm. Just ask anyone who’s been on the receiving end of identity fraud,” Naik explains.
Another question often posed to Naik by CEOs, is whether they should take a hands-off approach to PoPIA and GDPR. In this regard, the TransUnion exec says no, especially as PoPIA and GDPR carry heavy implications as far as fines and incarceration are concerned.
“As they’re two of the most important developments in data privacy regulation in the last few decades, I wouldn’t recommend it. Both can impose massive fines for non-compliance – up to €20-million or 4% of a company’s global turnover in the case of GDPR. Under PoPIA, the Information Regulator can impose a fine or imprisonment of up to R10 million or ten years in jail, as well as compensation to customers who have had their data compromised,” Naik notes.
It’s not just about avoiding fines though, in Naik’s view, adding that adhering to these pieces of legislation will garner greater transparency in the eyes of customers, particularly as the use of personal data becomes an ever important topic.
“As scary as the fines are, it’s not the penalties that should be driving adoption of these regulations. First, it just makes good business sense. Poor data management can lead to costly breaches and reputational damage to your business. Customers are also increasingly aware of how businesses use their personal data, valuing transparency and getting some of value in return,” says Naik.
“It is the right thing to do as a responsible business. Privacy will become integral to the way we work in the future and will differentiate you from your competitors. That’s why privacy needs to become part of your business DNA,” he adds.
What steps need to be taken?
After educating CEOs and business leaders on the importance of data privacy as it pertains to PoPIA and GDPR, the next thing that needs to be addressed is which steps should be taken by local organisations.
As far as this is concerned, Naik says some critical self-evaluation needs to be performed by businesses, looking at what kinds of data they are holding, and what processes need to be in place in order to comply with PoPIA and GDPR.
“It’s important not to see compliance as ticking a few boxes however as these are principle-based legislations. There is no one-size-fits-all approach – you will need to apply the principles according to the context of your business and data needs. You’ll need to start treating data – how you collect it, what you use it for, how you dispose of it and so on – as an ongoing strategic imperative,” he emphasises.
Naik also says that businesses should not necessarily worry about complying with one before the other, especially as the guiding principles behind both are quite similar.
“If you compare PoPIA with the GDPR you’ll notice that, except for semantics, the principles are aligned. So if you meet the principles of PoPIA, you’ll already be largely compliant with those imposed by the GDPR,” he says.
As for when businesses should start getting their ducks in a row, the TransUnion CEO says they need to start as early as today. This as each organisation’s compliance journey is different.
In terms of time frames, GDPR came into effect in May of last year, and while the effective date for PoPIA has not been confirmed, businesses will have 12 months to become compliant once it does.
As such, they need to ensure their compliance journeys are something that decision makers are actively thinking about.
“Creating a culture of privacy within your organisation takes time and is best started today. Understanding and adjusting to these new approaches to privacy is not a once off event but a new way of working. Beginning your journey early not only gets you ready to comply with PoPIA, it puts you in the best position to keep evolving your privacy strategies alongside new developments,” concludes Naik.[Image – CC 0 Pixabay]