Do you really know who owns your data?
From major corporations to cybercriminals, there is no shortage of individuals looking to gain access to the information that you share online. And while many companies look to safeguard your personal information, understanding data security is a crucial step in maintaining your digital autonomy when engaging on the internet (Higgins, 2020).
What is data privacy?
Data privacy is how individuals choose to maintain their privacy online. Ensuring the protection of your personal data is particularly important as this sensitive information continues to be a sought-after commodity. Engaging on the internet should be done with extreme caution as we still remain unsure of how sensitive information is being used without our knowledge.
Most individuals have found it easier to protect their personal data from phishing, password cracking and IP proofing. And while these strategies safeguard them from common hackers, when it comes to legitimate online services and corporations, people are less certain of how to keep their data safe.
In order to legally protect citizens engaging in online activities, several countries, including South Africa, have enforced key data protection laws, namely the POPI and GDPR acts which have been implemented in both South Africa and the European Union (EU) respectively.
Looking at POPIA
The Protection of Personal Information Act (POPIA) is the comprehensive data protection legislation which was signed into law in South Africa in November of 2013. The purpose of this act is to protect individuals from their personal information being stolen, which is since become a fundamental human right. In order to achieve this, the POPIA sets out conditions stipulating when it is lawful for someone to process another person’s personal information.
Key role players
POPIA involves three critical parties who can be either juristic or natural persons:
- The data subject: the person whom the information relates.
- The responsible party: the person who determines why and how to process information.
- The operator: a person who processes personal information on behalf of the responsible party.
What are the Penalties for Non-Compliance?
There are essentially two legal penalties or consequences for the responsible party (Michalsons, 2017):
- A fine or imprisonment of between R1 million and R10 million or one to ten years in jail.
- Paying compensation to data subjects for the damage they have suffered.
Various POPIA sections commencing on 1 July 2020:
- Conditions for the lawful processing of personal information
- The regulation of the processing of special personal information
- Codes of Conduct issued by the Information Regulator
- Procedures for dealing with complaints
- Provisions regulating direct marketing by means of unsolicited electronic communication
- General enforcement of the act
Looking at GDPR
The EU recently enacted legislation across all of its member states, namely the General Data Protection Regulation law (GDPR) which is at the heart of the EU’s privacy controls (Nadeau, 2020). This regulatory law requires that all businesses protect the privacy and personal data of all EU citizens and members.
The GDPR basis for processing information
Before acquiring and processing necessary information, data processors are to understand the following lawful bases (Boughton, 2019):
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing of the data is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Key areas of GDPR
In practice, this means that all partners, leads and customers should confirm that they wanted to be contacted and that organisations actively sought our permission. Therefore, a pre-ticked box that automatically opts customers in will not cut it anymore – opt-ins need to be a deliberate choice.
It is the responsibility of the market research organisation to ensure that all users
can easily access their data and remove consent for its use. Practically speaking, this can be as straightforward as including an unsubscribe link within your email marketing template and linking to their customer profile that allows users to manage their email preferences.
GDPR requires you to legally justify the processing of all personal data that is collected. Ultimately you need to support why certain information is required and for what purpose.
Your Personal Data rights
With public concerns around personal data controls increasing tenfold, it is crucial that individuals lean on the clear, ethical and professional guidelines of the aforementioned Acts. This includes understanding your rights when it comes to personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
With regulations such as POPIA and GDPR being enacted individuals can have peace of mind knowing that organisations are legally bound to comply to laws that safeguard your personal data. This highlights how your personal anonymity, privacy and autonomy remain of critical importance to organisation, the nation and the globe as a whole.
- Boughton, L., (2019). Back to Basics: Everything You Need to Know About GDPR in Market Research. Angelfish Fieldwork.
- Higgins, M., (2020). Why Data Privacy is Important. NordVPN
- Michalsons, (n.d). Protection of Personal information Act Summary- POPIA. Michalsons.com
- Nadeau, M., (2020). General Data Protection Regulation (GDPR): What You Need to Know to Stay Compliant. CSO Online.