What is Data Privacy regulation?
Data Privacy regulation is a way to ensure companies practice good governance, and that individual (and company) personal information is protected and used in a responsible, transparent manner. As South Africans, three key regulations should be on your radar:
- POPIA – The Protection of Personal Information Act (South Africa)
- GDPR – The General Data Protection Regulation (Europe, Mauritius and others)
- NDB – The Notifiable Data Breaches Scheme of the Australian Privacy Act (Australia)
All the acts and regulations above relate to protecting the personal information of clients and employees, and in the case of POPIA, juristic persons too (things like companies, trusts and other legal entities). They all have a series of provisions and conditions to ensure that data is handled in an effective way and within certain parameters. Some of the key principles are transparency, limiting processing to only necessary things, allowing for data to be updated or removed, and not using data for purposes other than what you have communicated (there are plenty more, but there’ll be more about that in a later post).
Combined with these principles, is that the regulations and acts require some form of notification to data subjects (those who the data belongs to), and often the general public, when there has been a breach. Aside from the fines that these laws impose, the reputational damage of these kind of breaches can be astronomical. In upcoming posts I will detail the key aspects of each regulation listed above.
Once that individual or company engages your services, then you start getting specific as to how you process information. And this is why…
You need to have adequate internal policies and procedures, you need to have efficient and clearly communicated employment contracts, you need to run internal awareness sessions (see my article on data breaches), and a whole host of other activities to ensure you’re taking reasonable measures to comply. Coupled with that, compliance is an ongoing process, and I don’t for a second believe any company that states they are 100% compliant to any of these laws.
We at Ross G Saunders Consulting have numerous specialists within our network, covering everything from professional legal opinions on data privacy and information security, to penetration testing and education for staff. If you feel you need a hand coming to grips with the above, please reach out to us for a meeting. We’ll assist in taking the guesswork out of your ongoing compliance needs, ensuring that Privacy and InfoSec is a key part of your Digital Strategy going forward.