First off, let’s get it clear that Data Privacy is not the same as Information Security. Sure, firewalls, penetration tests, encryption and complex passwords are important, but they only form a small portion of what is required for Data Privacy compliance. Laws like POPIA (South Africa), PIPEDA (Canada) and GDPR (European Union) are in place or soon to be in place, and are designed to protect an individual’s right to privacy, something that has many more facets than just the IT department.
What is Personal Information (PI)?
The definitions vary slightly from law to law, but in general, personal information is information that relates to an identifiable person (or company in the case of POPIA in South Africa), including information such as race, gender, sexual preference, trade union or political party membership, biometric information, contact details, account numbers, and a whole lot more. Michalsons, a leading technology law firm, has a great article defining personal information as far as South African law goes. You can find the article here.
Reasonable Protection Measures
Part of most privacy laws is the concept of reasonable protection measures. These are often seen as the IT department’s responsibility – where things like penetration tests and network hardening is done to ensure security of electronic devices. Data, however, takes on more shapes and sizes than just digital. Part of the responsibility for reasonable protection methods also encompasses your paper-based data: things like employment contracts, customer data, and many more items. It is your responsibility as a company to look after all these aspects, and may include more physical security, lockable cabinets, and shredders (with accompanying shred-all and clean desk policies).
Taking Responsibilty and Accountability
With these protection measures, comes accountability and responsibility. Within the different laws there are definitions for those who data belongs to (subjects), those who decide what happens to data (responsible parties), and those who work with the data (processors). The naming may change, but the concepts are mostly the same. Between processors and responsible parties, there is liability for data protection, and if you send data (say, payroll or accounting) to a 3rd party outsourced partner, you are still liable for the protection thereof – and as such you need to ensure your contracts with these parties are ensuring that they offer at least the same level of protection for data as you would.
This is an interesting point, because it means your supply chain and procurement department becomes a form of defensive line in your compliance for data privacy. It’s no longer about supplier identification and price negotiation, it’s now about responsible suppliers and selection thereof.
Processes, Policies and Procedures
A few more principles of Data Privacy involve the way you collect data and how the subjects can participate. You need to ensure the data is up to date, and that subjects (customers, employees and so forth) can participate in ensuring the data is correct. It also means that your processes need to allow for someone to give or retract permission for using their data at any given time – a factor that means you as a company need to know where every bit of data is for that client – something that is a lot more difficult than it may seem.
These are just a few of the principles of responsible Data Privacy, there are many more complex obligations and pre-requisites that would need to be looked at. If you would like to find out more, why not book a meeting with me (either virtually or in person) to take a look at your current compliance level and risk. We can then advise on a way forward to ensure you are looking after data the way you should.
Ross G Saunders Consulting was founded in 2015 and specialises in Data Privacy, Information Strategy and Process Engineering. They deliver services through a network of professional consultants specialising in all things privacy related, from law to IT technical assistance. Their clients include software development houses, graphic design agencies, law firms, and various other verticals. They pride themselves in technical expertise; business acumen; and proven experience in technology, business and innovation. Enquire about services offered today, and take control of your Data Privacy and Information Security.