Data privacy is the branch of data security concerned with the proper handling of data – consent, notice, and regulatory obligations.
The purpose of personal data protection is to protect the fundamental rights and freedoms of persons and companies that are related to that data.
Data privacy is the right of a citizen to have control over how personal information is collected and used. Data protection is a subset of privacy. This is because protecting user data and sensitive information is the first step to keeping user data private.
Data Privacy regulations relevant to SOuth African businesses
The European Union is widely regarded as the leader in protecting the data privacy rights of its citizens with its General Data Protection Regulation (GDPR). The Regulations protect European Union citizens' personal data around the world, making the regulation a benchmark for compliance around the world, and in particular for any business that may capture personal data related to any EU citizen. In practice, this means any almost company that has a website is subject to GDPR.
South Africa's data privacy regulation, the Protection of Personal Information Act (PoPIA) extends the definition of a citizen to include any juristic person. This means that our data privacy bill protects against the abuse of sensitive data related to individuals (like customers and employees) and companies (suppliers and partners).
A few other African countries, including Kenya, Uganda and Zimbabwe also have their own data privacy regulations. Others are, however, in the process of defining their own regulations.
In practice, most large organisations will have to comply with a number of regulations, and it is likely that the number of regulations will increase as more countries add their own interpretations. Sound data governance and data management practises should make it easy to meet compliance requirements,and to quickly adapt existing policies to prove compliance to additional regulations as these become relevant.
Ensuring data privacy requires sound data management practises
Whilst legal compliance is of course essential, the bulk of the effort of ensuring PoPIA compliance is built around ensuring sound data management practices throughout the data life cycle.
Data privacy is built upon a foundation of accountability.
In larger organisations, accountability means defining and sharing clear policies for the use of personal data, and ensuring that these policies are followed throughout the organisation. Polices can be linked to specific business processes and systems, to link individual actions to the underlying data and ensure that privacy is not infringed. A governed data catalogue can be an invaluable tool for tracking and sharing (and to external auditors and regulators) the details of your policies within the organisation, and for putting these into the context of actual data use.
Locate and document personal data
In order to protect personal data, we need to understand where it is captured and stored, and for what purpose.
This can be a very large challenge, particularly for larger organisations. The use of automated scanners to locate PII and other sensitive data can be extremely helpful to then complete Impact Assessments, Risk Assessments, Data Cataloguing and Classification exercises
Once data is secured we need to protect it from both internal and external threats. Whilst it may be tempting to focus on securing the perimeter of the organisation, many cases of abuse of personal data are internal. Managing data privacy effectively requires a nuanced approach to data security - ensuring role-based access to individual fields based on the user's processing purpose. Blending technology such as masking, encryption and user behaviour analytics ensures the granular level of security needed to ensure the data subject is protected.
A final piece in the puzzle is to monitor personal data access for suspicious activity. A number of breaches have occurred through the illegal activities of legitimately authorised users. By monitoring user activity and access, and flagging unusual or suspicious activities for further investigation, we minimise the risk of abuse.