What is Data Protection and Data Privacy Legislation?
Data protection and data privacy legislation are laws that protection your rights to online privacy by controlling when and how businesses and organizations can collect, utilize and store your personal information.
The Protection of Personal Information Act (POPIA) is South Africa’s data protection law. When it was passed on July 1st, 2021, POPIA brought South Africa’s data protection standards on par with the EU’s General Data Protection Regulation (GDPR), a law which has shaped global norms and values since its debut in 2016.
However, the value of data protection legislation like POPIA goes beyond just protecting your personal information. By fostering trust between the consumer and the business, legislation like POPIA has the power to shape our economies – macroeconomics has shown that as trust improves, economic prosperity grows.
Understanding POPIA – Summary
Essentially, POPIA protects individuals by ensuring that businesses adhere to proper legal standards when collecting, utilizing and storing your private information. Businesses must acquire your full, knowledgeable consent before collecting and processing any of your personal information.
The Act is enforced by the Information Regulator, which is “empowered to monitor and enforce compliance by public and private bodies with the provisions of the POPIA Act.” Businesses that are non-compliant with POPIA can be prosecuted by the Information Regulator and handed severe punishments: fines totalling R10 million and prison sentences of up to 10 years for complete breach of the Act, while minor offences are punishable with a fine and a prison sentence of a maximum of 12 months.
For a business-centric summary of 8 POPIA conditions from a regulatory compliance perspective, read our analysis here.
POPIA Compliance – Who is Affected?
Since it became legally enforceable on July 1st, 2021, every business, NGO, trust, and other such organizations have had to comply with POPIA (apart from South Africa’s parliament and judicial system).
POPIA often uses the term ‘Data Subject’, which refers to the person or entity that the personal information belongs to or is about. Because nearly every person has had their personal information processed by a third party, every individual is a data subject to some degree.
As a data subject, you will not have to worry about complying with POPIA. Information that is purely for personal household activities is exempt, as well as information that exists for journalistic, literary, or artistic purposes.
What Are Your Data Subject Rights?
POPIA outlines eight basic conditions for the legal processing of personal information. Of these eight, the following five are essential to understand from the perspective of a data subject…
Condition 2 - Processing Limitation
Every business or organisation must acquire your explicit consent before they can gather and process your personal information. A business should not collect and process more information than is necessary for the task at hand, and it should always be done in a manner that does not infringe upon the data subject’s privacy.
Condition 3 - Purpose Specific
Your personal data can only be collected and processed for a specifically defined and lawful purpose, which you must have consented to. Additionally, personal data must be destroyed once it has served its purpose or after an agreed-upon timeframe.
While condition 2 requires your consent before a business can collect and process your data, Condition 3 means that businesses must clearly state what they are going to use your personal information for.
Condition 4 - Further processing limitation
Your personal information cannot be reused for a secondary purpose after it has already been collected. If a business wants to use your personal information for a purpose different to what it was originally collected for, you will have to grant them additional consent.
Although businesses may have formerly abused your right to privacy by reusing your data or selling it to third parties for a profit. However, this is now illegal unless you consent to it. For example, if you grant permission for your personal information to be used for medical reasons, that information cannot be sold to advertisers unless you explicitly consent to it.
Condition 6 – Openness
A business must always tell you exactly who is collecting and processing your data, as well as for what purpose it is being processed.
In most cases, this information will be outlined within a business’s privacy policy, user agreement or terms and conditions of use. Businesses must be able to prove that you knew and consented to these, so consumers will typically be asked to consent by clicking ‘agree’ on such documentation.
Condition 8 - Data Subject Participation
You have the legal right to request the immediate correction or deletion of any personal data, as well as requesting knowledge of where and how your data is being stored.
Additionally, you have the right to always ‘opt-out’ of direct marketing – advertising via SMS, email, or telephone calls from businesses must always be optional.
Why POPIA Is So Important – Fostering Trust and Economic Growth
Trust – understood as “our willingness to be vulnerable to the actions of others because we believe they have good intentions and will behave well towards us” – has been repeatedly undermined by companies and governments mismanaging and abusing personal information. Although due to many variables in addition to the abuse of personal information, the decay of trust is rife: we are more suspicious of businesses, government, and each other than ever before, and the share of the global population that felt like most people could be trusted has fallen by 20% over the last 15 years.
Laws that govern the protection of personal information – such as POPIA, the GDPR and China’s PIPL – are essential for restoring this trust. In an interview with Deloitte, the director of MIT’s Connection Science laboratory Sandy Pentland explained the value of transparency when dealing with personal information.
“I’m going to deliver this service to you, and then without really making it clear, we’re going to sell your data on the side. That’s a violation of trust. A consequence is that if I don’t understand your business model and what you are offering me and what the value is to you, I can’t trust you. It’s that transparency in value, the relationship, and the motivations that are often left on the floor” –Sandy Pentland, MIT.
The legal requirement for the acquisition of data subject consent empowers individuals to make informed decisions about how and when their personal information is collected and processed. This fosters an environment in which consumers can trust that businesses will not abuse their personal information once it is collected. This is invaluable, because countries in which businesses, governments and other institutions engender more trust experience stronger per capita real GDP growth. Macroeconomics has shown that as trust improves, economic prosperity grows.
KYC, Enhanced Due Diligence and Identity Verification Services for South Africa
It is clear how vital it is to rebuild the trust we have lost. However, it is naïve to simply ask people to trust one another. The risk of loss is too high. Trust must be rebuilt on verifiable identities that can offer peace of mind by affirming the integrity of those we do business with.
As South Africa’s leading provider of world-class due diligence and remote-onboarding solutions, ThisIsMe is proud to be at the forefront of a trust-based and privacy-compliant digital world. To experience our full suite of advanced due diligence services, book a demonstration by contacting our team here.
