Some bad advice that I’m seeing more and more often, is from non-savvy advisors telling their clients that if they have a Privacy Policy, they’re safe and compliant with GDPR and POPIA. This is a seriously dangerous precedent and completely incorrect. Basically what you have here is a “Beware of the Dog” sign on the gate, but no dog, no security gates, and no doors on your house.

What is Data Privacy regulation?

Data Privacy regulation is a way to ensure companies practice good governance, and that individual (and company) personal information is protected and used in a responsible, transparent manner. As South Africans, three key regulations should be on your radar:

  1. POPIA – The Protection of Personal Information Act (South Africa)
  2. GDPR – The General Data Protection Regulation (Europe, Mauritius and others)
  3. NDB – The Notifiable Data Breaches Scheme of the Australian Privacy Act (Australia)

All the acts and regulations above relate to protecting the personal information of clients and employees, and in the case of POPIA, juristic persons too (things like companies, trusts and other legal entities). They all have a series of provisions and conditions to ensure that data is handled in an effective way and within certain parameters. Some of the key principles are transparency, limiting processing to only necessary things, allowing for data to be updated or removed, and not using data for purposes other than what you have communicated (there are plenty more, but there’ll be more about that in a later post).

Combined with these principles, is that the regulations and acts require some form of notification to data subjects (those who the data belongs to), and often the general public, when there has been a breach. Aside from the fines that these laws impose, the reputational damage of these kind of breaches can be astronomical. In upcoming posts I will detail the key aspects of each regulation listed above.

Why a Privacy Policy is good

On the 24th of May 2018, your inbox was likely flooded by mails stating that “we’ve updated our privacy policy!” and the like. The reason for this, was that GDPR came into play on the 25th of May. The GDPR requires, much like the others, that data is handled in a secure manner, and one of the ways of doing so is to have a solid Privacy Policy in place.

Your Privacy Policy is your safety net as an organisation, detailing up-front what you do with data in your possession. For example, if someone visits your website and fills in a form, your policy should state what you are collecting, and how it will be used, in a pretty general way.

Once that individual or company engages your services, then you start getting specific as to how you process information. And this is why…

Having a Privacy Policy does not equal compliance

As mentioned, your Privacy Policy is a blanket, catch-all system stating what you may do with someone’s data. Once you engage, that starts getting a whole lot more specific, and those pesky principals and conditions of each act start coming into play. You see, having a policy and stating what you are going to do is one thing, but protecting the data in your possession and processing it in the way you specified requires a whole lot more work.

You need to have adequate internal policies and procedures, you need to have efficient and clearly communicated employment contracts, you need to run internal awareness sessions (see my article on data breaches), and a whole host of other activities to ensure you’re taking reasonable measures to comply. Coupled with that, compliance is an ongoing process, and I don’t for a second believe any company that states they are 100% compliant to any of these laws.

As you can see, your Privacy Policy is simply the tip of the iceberg. You need to have a solid privacy strategy, touching every aspect of your organisation. This can be incredibly daunting, and is also why I believe you need someone actively managing your privacy and information security. In a larger organisation, this could fall to an InfoSec (Information Security) committee or compliance team, but in a smaller organisation you will need assistance.

We at Ross G Saunders Consulting have numerous specialists within our network, covering everything from professional legal opinions on data privacy and information security, to penetration testing and education for staff. If you feel you need a hand coming to grips with the above, please reach out to us for a meeting. We’ll assist in taking the guesswork out of your ongoing compliance needs, ensuring that Privacy and InfoSec is a key part of your Digital Strategy going forward.

Share This

Share this post with your friends!