GDPR and POPIA: Acquisition and data entry

26 September 2018
Written by Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.

Missed any articles?  Read it here!

In this second article of the series on GDPR and POPIA, we will learn about good data habits.  Legal compliance, in this case, is mostly just that: practical ways to respect people and their data. Read on:

“May I have your number?”

The world of dating can make the strongest of us whimper. It also gives us a perfect metaphor for the complexities of data acquisition and management.  

Imagine you see a person at your local coffee shop that you find attractive, how do you go about getting their number? The first step is to check if there aren’t any legal (or ethical) barriers, like wedding or engagement rings. No rings? No problem!

You approach the person and politely ask for their details. If you ask for their bank details or home address right off the bat, you will be swiftly rejected and possibly asked to leave the coffee shop. Instead, you ask for only that information that will help you achieve your goal, like a telephone number. At the same time, giving you a phone number gives them full control over whether they would want to answer your calls.

Sometimes you will have to work for it when they ask: “Why do you want my number?” You have a specific purpose, which is to try and get that first date. However, your potential paramour might wonder if you won’t be using it for fraud. They don’t yet know how well behaved you are, after all.

The data lifecycle starts with acquisition and data entry. Both GDPR and POPIA put focus on acquisition because it is the first point of contact where data subjects have the most control.

Today we will look at the three critical elements of data acquisition and entry.

Legal basis, purpose, and minimal data

When data is first acquired there must be:

  1. A legal basis for processing data
  2. A clear purpose for using the data
  3. A minimal amount of data collected for the intended purpose.

POPIA Compliance - Things you need

What do GDPR and POPIA say about data acquisition and entry?

Data processing for both GDPR and POPIA is subject to the idea of minimal information and specific purpose acquired on a legal basis.

In Paragraph 39 of the opening statement of the GDPR legislation we see that “personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed” and in Paragraph 156 we see “safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation.”  According to the GDPR, processing of personal data requires a specific purpose, data collection needs to be minimized and then safeguarded.

POPIA reflects similar sentiments. In Section 10 of Chapter 3 it is stated that “personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.” It goes on to provide more detail in Section 13 on the issue of specific purpose: “Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.”

Legal basis comes in many forms. Data acquisition can be mandatory, on the basis of legitimate interest or as a result of specific consent. Both GDPR and the POPI Act provide for six different types of legal basis namely:

  1. Consent
  2. Contractual obligations
  3. Legal obligations
  4. Vital interests
  5. Public tasks
  6. Legitimate interests

POPIA GDPR Types of legal basis

These legal bases are balanced against individual rights and the needs of the person or organization collecting and processing the data.

POPIA is not just about people, but organizations too

One of the most striking differences between GDPR and POPIA is the data subject. GDPR is solely focused on natural persons as data subjects, but POPIA defines a person as “a natural person or a juristic person.” Where GDPR is only applied to natural persons, POPIA extends to any legally registered entities.

Putting POPIA policies in place

Preparation for privacy laws requires a clear strategic plan. However, if your company operates within South Africa, your efforts to implement privacy laws will not only affect databases that reference individuals, but also those that reference companies.

When setting up data acquisition policies consider the following:

  1. Procedures for managing customer data compliance
  2. Procedures for managing employee data compliance
  3. Procedures for managing compliance with regards to suppliers, contractors, and other organizational clients.

Your system will need to reflect your policies and include all the new compliance-related fields for every database object. Be sure to include functions that allow for simple proof of consent and legal basis.

Don’t be creepy

It all boils down to not being creepy. If a random stranger calls you to ask for a date, how would you feel? Perhaps you may wonder where they got your information. You may even feel threatened. Why is it then that companies are allowed to do precisely this? That is why laws like POPIA and GDPR came into being.

How do we survive our transition from being data stalkers to well-behaved suitors? It is simple: ask permission, have a good reason and ask only for what you need. And always keep a record.

Free POPIA Flowchart Poster

POPIA compliance is challenging, but this free flowchart poster will help you manage compliance for new and existing data subjects.  It provides detailed steps to ensure data privacy compliance for both new and existing data subjects.

DOWNLOAD YOUR POSTER TODAY

 

SAP Knowledge Sidebar

by Jan van Rensburg

For many companies, SAP is the crown jewel for their customer and HR information. Data in SAP systems is analyzed and exchanged with other systems.

You have to ensure that you’re transparent about how the data is used, and who has access to it. If you perform data analytics based on personal data, you have to ensure that this is not beyond the reasonable expectations of the people who entrusted their data to you. This is especially true in consumer-facing industries, like retail, banking and utilities, where data analytics typically play a vital business role. Evaluating the legitimacy and appropriateness of new analytics is part of the Data Protection Officer’s responsibilities. He or she is an independent advisor that must consult with the business and decide if an analytics initiative should go ahead. Preferably, a formalized and documented data privacy impact assessment should be performed.

Exchanging data with third parties has become serious business under both GDPR and POPIA. You will be partly responsible for data breaches or misuse, even if it was one of your vendors who was responsible. Care should be taken to ensure that vendors who process personal data have at least the same amount of data privacy protections that you yourself have. A starting place for SAP customers is to inventory all third-party interfaces and systematically ensure that you perform due diligence and contractual updates with third parties. On a continuous basis, interfaces should also be monitored to ensure that data that leaves your systems isn’t irregular.  

Disclaimer: The information published in the blog post is for informational purposes only and should not be construed as legal advice. Please contact your legal adviser for further guidance on this topic.

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act SAP data privacy and compliance POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data Sync Manager (DSM) Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP RISE SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data RISE BRIDGE Managed Services Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP Data Processing Agreement SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SAP system refresh SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: