Data could currently be the essential currency in the world. With enough data available, the options for companies to sell and market products to a specific target audience, and to drive and reward behaviours and incentives, have become limitless.
However, there are compliance checks in place to make sure that personal data is kept safe.
So, how do you make sure your company treads on the right side of the law?
Trust does not come easily anymore
When events like the Cambridge Analytica scandal happen, and companies continuously make use of data brokers to gain user information, users start losing trust and want to know how their data gets used.
With the uptake and growth of more and more data-collecting technology in both work and personal lives, the need for legislation around data handling and protection has become an urgent need in order to build more trust.
Thus, we have seen the rise of the Protection of Personal Information Act 2013 (POPIA) in South Africa – a specific Act addressing data protection for South Africans. And in Europe, we have seen the General Data Protection Regulation (GDPR) come into fruition to help protect customer data.
Both POPIA and GDPR cover all companies, but banks, insurance companies and other financial companies need to take extra care to ensure that they are compliant.
With both POPIA and GDPR, you need to make sure that you:
- Have the consent to collect and process user data.
- Have a valid reason for collecting the information requested.
- Are transparent about how you will use the data you collected.
- Destroy the information if the individual requests it.
- Keep user data current.
- Do not have a shared database.
- Know how long you can store data.
- Know who can always access user data and ensure that unauthorised persons cannot access the data.
- Safeguard user data from a breach.
- Notify individuals if their data is breached – to update or change passwords, for example.
Building trust: the rise and rise of consent
In previous years, access to an individual’s data was a bit of a ‘free-for-all’, primarily where data brokers were concerned. Nowadays, users need to give either implicit or explicit consent for you to be able to collect, use and store their data.
It also gives them the option to opt-out of you using their data at all.
Implicit vs explicit consent and opting out
When addressing consent, it is essential to note that there are different types of consent.
In short, explicit consent, or direct consent, happens when a user signs (or agrees to) any consent form where a company outlines the way they want to collect or use the user’s data. Consent can be given verbally or in writing.
An example of this is when a user signs up for a loyalty programme at a retailer, and the retailer use buying behaviour to market relevant items to the user based on purchases made at the store.
Implicit consent, or implied consent, can mean one of two things.
- A user volunteers that their data may be collected to be used or disclosed for a purpose that seems evident at the time of giving the consent, or
- A user gives their information to a company and it is used in a way that benefits the user and the company that uses it in a reasonable way.
For example, when you make a purchase at a store, and the cashier asks if they can email your receipt, you provide your details specifically for this purpose.
Consent also has a reverse option: Opting out. Or giving consent by declining to give consent. Many online stores or companies use this type of consent to get permission to use a user’s personal information for other purposes, such as receiving marketing emails.
Have you clicked the ‘no’ box recently?
Remember, if a user does not decline consent, it can be assumed by default. And while it may seem a bit greasy, many companies use this type of consent because it requires action and attention which many users neglect to take note. Who really reads all the Terms and Conditions?
As with many rules, there are exceptions. When a user is incapable of giving consent, or it is deemed impossible to give consent, a user’s data could be used for legal, medical or security reasons.
For example, during an emergency, medical staff could look up a patient’s details or contact their medical aid to determine medications or allergies to save a life.
What concerns are there?
Currently, both companies and users have trust concerns around POPIA specifically, and what opting in and out means. Most companies in South Africa are actively trying to avoid non-compliance with the Act and gain trust by being compliant.
As a customer, familiarise yourself with what is classified as personal information and ensure that you opt-in (or out) to keep your data safe.
As a company, you need to familiarise yourself with the Act, what it covers, and how to stay compliant. You also need to know what non-compliance means.
Companies can make sure that their processes are compliant with POPIA by following this checklist:
- Download the Act and familiarise yourself with it.
- Appoint an Information Officer and ensure that the company knows what is happening with POPIA.
- Conduct a risk assessment to establish your current data protection status.
- Document what personal information you currently hold, where it comes from, how you are using it, and how it is shared.
- Ensure your company knows how to deal with personal information in terms of:
- How you collect data.
- Who can access data?
- Is the data up to date?
- How will data be used?
- How will data be stored?
- How you are keeping data safe.
- How you disclose data collection and storage.
- Who is responsible for what? From directors to top management, including your Information Officer, teams who handle personal information, vendors, contractors, as well as suppliers.
- How you handle complaints.
- How you destroy data.
- Education of all employees in data management and usage.
What happens if you do not comply with POPIA?
You can view non-compliance from different angles. For example, you can be guilty of contravening POPIA if:
- You hinder, obstruct or attempt to unlawfully influence the regulator.
- You fail to comply with any enforcement notices.
- You fail to attend hearings (or lie under oath at a hearing).
- You act unlawfully in any way with account numbers (yes, even third parties are responsible).
If you are non-compliant, you could face a R10 million fine, imprisonment for up to 10 years, or a combination of both. If your offence is less severe, like hindering an official, you could face a fine, imprisonment for up to 12 months or a combination of the two.
What can companies do to safeguard their most precious asset?
Cyber-criminals have been in the headlines across the world for data breaches. We have all heard about or experienced it. From the City of Johannesburg being held at ransom to previously unreleased episodes of a series threatened to be released on Netflix and HBO thanks to hackers.
To ensure that your user data is safe, you need to have sensitive data management practices in place with the following key components:
- Look at data security from a holistic standpoint – from encryption to authorisation, authentication, and trust across the company.
- Identify sensitive data.
- Link the sensitive data identification and apply remedial actions.
- Have a strict auditing process in place.
- Invest in future-proof technology to address the regulatory requirements as new data sources and use cases are implemented.
In the digital era, the best advice is to move from an “if” to “when” scenario when you consider data breaches. In today’s world, we need to prepare for when a breach occurs, and not if it happens. Always have a plan in place to address a breach.
- Make sure that employees know what to click or not to click in emails to prevent ransomware attacks.
- Educate all employees in all aspects of data safety, and the value of keeping data safe and secure.
- Teach all employees the value of sharing personal information online.
- Have an escalation process in place in the event of any breach occurring.
For your cloud security solutions, and to ensure you keep your user data safe, visit TarsusOnDemand.co.za.