Get ready to change your passwords again. There’s been yet another massive data breach, this time in the form of Facebook having stored millions of user passwords in plain text format.
Is it any wonder that some of the questions I get asked most nowadays are around data privacy regulations? If the world’s biggest companies are struggling, what hope do the rest of us have of getting it right?
Data privacy is complicated. And it’s something we need to talk about more, in ways we all understand. That’s why I’d like to share some of the questions I get most from CEOs and business owners on how new data regulations like PoPIA and GDPR will affect them.
I’m no lawyer, nor do I play one on TV, so I’d like to answer these questions from the perspective of an executive whose organisation is currently going through its own data privacy journey.
There’s been a lot of brouhaha about data privacy recently. Why is it so important?
At its heart, privacy is a limit on government power, as well as the power of private sector companies. The more someone knows about us, the more power they can have over us. We know that personal data is used to make very important decisions in our lives - from what financial products we get approved for to the kind of medical treatment we get. In the wrong hands, personal data can be used to cause us great harm. Just ask anyone who’s been on the receiving end of identity fraud.
What’s with all these acronyms I keep reading about? PoPIA and GDPR?
The two are regulations meant to increase data privacy and protection for ordinary people. GDPR, which stands for General Data Protection Regulation, is an EU law and addresses the export of personal data outside EU and EEA areas. And considering the EU is one of SA’s biggest trading partners, this has the potential to affect many local businesses.
PoPIA - the Protection of Personal Information Act, is an all-encompassing South African law that seeks to create conditions for the handling of personal data in a responsible and transparent manner.
Should I step back and leave this one for the lawyers to handle?
As they’re two of the most important developments in data privacy regulation in the last few decades, I wouldn’t recommend it. Both can impose massive fines for non-compliance - up to €20-million or 4% of a company's global turnover in the case of GDPR. Under PoPIA, the Information Regulator can impose a fine or imprisonment of up to R10 million or ten years in jail, as well as compensation to customers who have had their data compromised.
So is it important because it’s about avoiding fines?
As scary as the fines are, it’s not the penalties that should be driving adoption of these regulations. First, it just makes good business sense. Poor data management can lead to costly breaches and reputational damage to your business. Customers are also increasingly aware of how businesses use their personal data, valuing transparency and getting some of value in return.
Then there’s the simple fact that the world is changing and we need to adapt. Data is the fuel that powers the digital revolution. Not only is there a lot more of it out there, it’s also a powerful tool to solve problems and grow business. With great power comes great responsibility - we need to understand what data is, how it works, and how to use it in a way that isn’t exploitative.
It is the right thing to do as a responsible business. Privacy will become integral to the way we work in the future and will differentiate you from your competitors. That’s why privacy needs to become part of your business DNA.
What if I’m a small business that doesn’t work with data? I’m safe, right?
Just because you’re not Facebook doesn’t mean you don’t work with data. Customer accounts, emails, phone numbers, financial and credit records, CVs - all of these contain personal data and fall under the domain of PoPIA and need to be handled responsibly. Remember, we’re living in a world where sharing too much information in tweets can lead to major consequences.
While GDPR and PoPIA might be the catalysts starting discussions about data privacy, adapting to this evolving digital world is about changing the way we work.
Practically, what do I need to do?
To start, businesses will have to perform some critical self-assessments to identify what personal information they hold and process and whether their processes comply with the principles set out on PoPIA and the GDPR. It’s important not to see compliance as ticking a few boxes however as these are principle-based legislations. There is no one-size-fits-all approach – you will need to apply the principles according to the context of your business and data needs. You’ll need to start treating data – how you collect it, what you use it for, how you dispose of it and so on – as an ongoing strategic imperative.
Between PoPIA and GDPR, which one reigns supreme?
There is no hard and fast answer to this - it depends on where you do business and how likely you are to be handling the personal information of EU citizens. If you’re domiciled in the EU or do business outside of SA’s borders, you’d obviously have to comply with GDPR first and foremost. However, even businesses that don’t do business internationally can’t afford to ignore GDPR completely. Given how we leverage technology (and transfer data), you may just hold the personal information that has been exported from the EU or EEA.
If both apply, which one should I tackle first?
If you compare PoPIA with the GDPR you’ll notice that, except for semantics, the principles are aligned. So if you meet the principles of PoPIA, you’ll already be largely compliant with those imposed by the GDPR. At TransUnion, our approach has been to implement best practice data privacy principles, rather than focus on compliance of the one or the other. This is the best approach if you’re a business that operates globally.
When do I need to get my data ducks in a row?
GDPR became effective on 25 May 2018, while PoPIA’s effective date is still unknown after the regulations were published 14 December 2018. Once that date is proclaimed, industry will have to comply within 12 months of that date. However, with GDPR already in play, a number of complaints have already been escalated to the respective information regulators.
Creating a culture of privacy within your organisation takes time and is best started today. Understanding and adjusting to these new approaches to privacy is not a once off event but a new way of working. Beginning your journey early not only gets you ready to comply with PoPIA, it puts you in the best position to keep evolving your privacy strategies alongside new developments.
How do you rate against your peers when it comes to data privacy? TransUnion will be partnering with ITWeb for a South African study on data privacy as we head towards the official date when PoPIA comes into effect. I’ll be sharing more details in the weeks to come, as well as further discussions on the evolving face of data privacy.