Missed any articles? Read it here!
In this second article of the series on GDPR and POPIA, we will learn about good data habits. Legal compliance, in this case, is mostly just that: practical ways to respect people and their data. Read on:
The world of dating can make the strongest of us whimper. It also gives us a perfect metaphor for the complexities of data acquisition and management.
Imagine you see a person at your local coffee shop that you find attractive, how do you go about getting their number? The first step is to check if there aren’t any legal (or ethical) barriers, like wedding or engagement rings. No rings? No problem!
You approach the person and politely ask for their details. If you ask for their bank details or home address right off the bat, you will be swiftly rejected and possibly asked to leave the coffee shop. Instead, you ask for only that information that will help you achieve your goal, like a telephone number. At the same time, giving you a phone number gives them full control over whether they would want to answer your calls.
Sometimes you will have to work for it when they ask: “Why do you want my number?” You have a specific purpose, which is to try and get that first date. However, your potential paramour might wonder if you won’t be using it for fraud. They don’t yet know how well behaved you are, after all.
The data lifecycle starts with acquisition and data entry. Both GDPR and POPIA put focus on acquisition because it is the first point of contact where data subjects have the most control.
Today we will look at the three critical elements of data acquisition and entry.
When data is first acquired there must be:
Data processing for both GDPR and POPIA is subject to the idea of minimal information and specific purpose acquired on a legal basis.
In Paragraph 39 of the opening statement of the GDPR legislation we see that “personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed” and in Paragraph 156 we see “safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation.” According to the GDPR, processing of personal data requires a specific purpose, data collection needs to be minimized and then safeguarded.
POPIA reflects similar sentiments. In Section 10 of Chapter 3 it is stated that “personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.” It goes on to provide more detail in Section 13 on the issue of specific purpose: “Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.”
Legal basis comes in many forms. Data acquisition can be mandatory, on the basis of legitimate interest or as a result of specific consent. Both GDPR and the POPI Act provide for six different types of legal basis namely:
These legal bases are balanced against individual rights and the needs of the person or organization collecting and processing the data.
One of the most striking differences between GDPR and POPIA is the data subject. GDPR is solely focused on natural persons as data subjects, but POPIA defines a person as “a natural person or a juristic person.” Where GDPR is only applied to natural persons, POPIA extends to any legally registered entities.
Preparation for privacy laws requires a clear strategic plan. However, if your company operates within South Africa, your efforts to implement privacy laws will not only affect databases that reference individuals, but also those that reference companies.
When setting up data acquisition policies consider the following:
Your system will need to reflect your policies and include all the new compliance-related fields for every database object. Be sure to include functions that allow for simple proof of consent and legal basis.
It all boils down to not being creepy. If a random stranger calls you to ask for a date, how would you feel? Perhaps you may wonder where they got your information. You may even feel threatened. Why is it then that companies are allowed to do precisely this? That is why laws like POPIA and GDPR came into being.
How do we survive our transition from being data stalkers to well-behaved suitors? It is simple: ask permission, have a good reason and ask only for what you need. And always keep a record.
POPIA compliance is challenging, but this free flowchart poster will help you manage compliance for new and existing data subjects. It provides detailed steps to ensure data privacy compliance for both new and existing data subjects.
For many companies, SAP is the crown jewel for their customer and HR information. Data in SAP systems is analyzed and exchanged with other systems.
You have to ensure that you’re transparent about how the data is used, and who has access to it. If you perform data analytics based on personal data, you have to ensure that this is not beyond the reasonable expectations of the people who entrusted their data to you. This is especially true in consumer-facing industries, like retail, banking and utilities, where data analytics typically play a vital business role. Evaluating the legitimacy and appropriateness of new analytics is part of the Data Protection Officer’s responsibilities. He or she is an independent advisor that must consult with the business and decide if an analytics initiative should go ahead. Preferably, a formalized and documented data privacy impact assessment should be performed.
Exchanging data with third parties has become serious business under both GDPR and POPIA. You will be partly responsible for data breaches or misuse, even if it was one of your vendors who was responsible. Care should be taken to ensure that vendors who process personal data have at least the same amount of data privacy protections that you yourself have. A starting place for SAP customers is to inventory all third-party interfaces and systematically ensure that you perform due diligence and contractual updates with third parties. On a continuous basis, interfaces should also be monitored to ensure that data that leaves your systems isn’t irregular.
Disclaimer: The information published in the blog post is for informational purposes only and should not be construed as legal advice. Please contact your legal adviser for further guidance on this topic.