TECHN OL OGY
TIPS FOR TECHNIQUES PoPI IN A NUTSHELL The PoPI Act focuses on collecting, storage, utilising, and disposal of an individual’s personal information. It provides clear guidance to companies on exactly how these matters should be handled. It is governed by eight principles: Lawful collection: Information may only be obtained in a lawful, consented manner from an individual; A clear motivation for data collection: There must be a specific reason that each and every piece of information is required and collected. No more “just because” reasoning will be allowed; Clear scope for information required: What does the company want to do with your information? For example, if they want to collect driver’s license information to see how many Code 08 drivers there are, they may only do that. They cannot later decide to check other details. Quality control: The person collecting the information has a responsibility to ensure reasonable quality control. Information collected should be appropriate and relevant; Ongoing transparency: When data is processed, the affected party, as well as the Information Regulator, has to be kept informed; Active involvement: When an entity collects information about a specific person, the person in question must have active involvement in the process. The person whose data is being collected must have the opportunity to amend and update information as and when required; and Accountability: Accountability rests on the shoulders of the person responsible for processing the information. Every reasonable step aimed at data protection and security should be followed. The required protocol following a data breach When a data breach is detected, companies are obliged to provide the following information to the Information Regulator: ● What type of breach occurred; ● How exactly did it happen; ● Who are the affected parties; ● What steps will be taken to inform the identified parties of the breach; ● What mitigating steps are in place; and ● What risk management factors are in place to ensure that future data breaches do not happen again.
136
Elevation Business Magazine
Defining data privacy Data privacy is concerned with the collection, use, storage and eventual disposal of personal information. With the rise of data privacy laws, companies are required to clearly define what the purpose is for them to want to have access to personal information What can then be defined as data? Most of us have had to “accept cookies” when browsing through a website. Very few, if any of us ever read the privacy policies connected to these. The purpose of all this is quite simple. The cookies work to collect valuable information about what is browsed on the site, data collected, and authenticate a user before sensitive data is released. The rollout of data privacy laws In 2018, Europe took its first step towards ensuring the protection of personal data and privacy of EU citizens with the General Data Protection Regulation. It sets guidelines for collecting and processing personal information from individuals, companies and organisations based in Europe and EU member states. Heavy fines and even imprisonment is on the cards for companies who fail to comply and fall victim to data breaches. Following the steps of Europe, South Africa introduced the PoPI Act or Protection of Personal Information Act. Like the GDPR, the PoPI Act governs when and how organisations collect, use, store, delete and otherwise handle personal information. To give effect to this Act, an Information Regulator had to be established, ensuring compliance to related local and international legislation. It actions steps to non-compliance and amendments to legislation, as and when required. In the past, data privacy was not an important focus area of many business types. But considering there is a 12-month grace period since it came into effect on 1 July 2020, time is running out to comply.
