As you use your smartphone and connected devices more and more, a vast digital data-based footprint is created based on your behaviour. From a regulatory perspective, an important consideration is who owns all this data – the user or the service provider who stores it? If it’s the service provider, then what obligation does it have to store and protect your data? And to what extent can data be shared with third parties? As a result, compliance legislation is evolving to keep up and to protect individuals, consumers, and organisations.1
It’s vital for professionals today to understand the importance of compliance in business, as failure to comply with these laws could result in significant business risk. More than that, businesses and individuals who not only comply, but embrace these regulations can use it to their advantage – optimising customer experiences and building consumer trust.
This begs the question, what is compliance in business, and what does it take to remain compliant?
South Africa’s POPI and Europe’s GDPR
In South Africa, the Protection of Personal Information (PoPI) Act states that organisations must do what’s necessary to protect personal information against unlawful access or processing, as well as loss, damage, or unauthorised destruction. Non-compliance in business can result in significant penalties – up to R10 million, imprisonment of up to 10 years, or both.2
These acts and regulations are not just for personal data protection, they are also necessary to facilitate international data sharing. IT law consultant, Professor David Taylor, says, “As long as 20 years ago a law was passed that businesses can’t send information to another country unless that country has a proper privacy law in place, which is why we now have POPI. Europe wouldn’t send us their data without it. If your business is participating in the global economy, it has to comply with certain rules and regulations.”3
GDPR in Europe
Europe’s General Data Protection Regulation (GDPR) was implemented on 25 May 2018 and is intended to harmonise the data protection rules throughout Europe. It grants greater rights to individuals but also imposes significant new burdens on organisations with increased fines and penalties for breach of the rules.4
Requiring data protection ‘by design and by default’, in addition to the right to access and the right to erasure amongst others, companies will need to validate their ability to comply with data security, to uphold the extended rights of individuals, to produce documentation and security audits, as well as data breach notifications.5
Non-compliance can result in imprisonment of up to 10 years, and up to 4% of global revenue or €20 million, whichever is greater (GDPR) – as well as the accompanying brand reputation damage to those found short.6
GDPR in Hong Kong and Singapore
The GDPR primarily affects organisations operating within the EU. However, any company outside of the EU that offers goods or services to data subjects in the EU, or monitors the behaviour of data subjects in the EU will need to have GDPR compliance in business. The location of the organisation that collects the personal data is irrelevant; the rules apply when personal data is collected from an individual who is located in an EU country when the data is collected and processed, whether they are an EU citizen or not. Similarly, the GDPR does not apply to EU citizens when they are outside of the EU.7
According to consultancy EY, nine out of 10 companies in Singapore do not have a plan to cope with GDPR.8
Hong Kong businesses may be subject to greater data protection obligations under the GDPR than they currently experience under the Hong Kong Personal Data Privacy Ordinance. The key provisions are:9
- Consent – The GDPR requires organisations to obtain freely given, specific, informed, and unambiguous consent before collecting personal data from a data subject, unlike in Hong Kong where businesses generally do not need consent when collecting data, unless for marketing purposes.
- Data Protection Officers – The GDPR requires data controllers, or Data Protection Officers (DPO), to implement technical measures to build privacy by design and to conduct compulsory data-protection impact assessments, amongst other measures. There are no equivalent mandatory provisions in Hong Kong.
- Mandatory breach notification – Under the GDPR, should a DPO experience a breach of security, they will need to notify the Data Protection Authority in the relevant Member State within 72 hours of discovering the breach, unless the breach is “unlikely to result in a risk to the rights and freedoms of individuals”. In Hong Kong, there is no mandatory breach notification requirement.
- New and enhanced rights for individuals – The GDPR gives data subjects certain enhanced rights that are lacking in Hong Kong’s policies:
- The “right to be forgotten” – The right to request erasure of personal data that they have posted online.
- The right to data portability – The right to switch personal data between service providers.
- The right to object to processing (including profiling).
- Data processors – The GDPR imposes statutory obligations directly on data processors – currently not the case in Hong Kong or Singapore _– including maintaining records of their processing activities. This means that data processors can face repercussions directly for data breaches.
- Appointment of a designated representative – Non-EU business must appoint a representative to act as a point of contact for requests by the supervisory authorities or data subjects and represents the controller or processor.
How this has affected business
In section 66 of the POPI Bill, it states companies are not allowed to send any form of electronic marketing messages – such as emails and newsletters – without being granted permission by the recipients to do so.10
POPI outlines the following about direct marketing and how companies should act in order to remain compliant in business:11
- Collect personal information directly from the data subject
- Collect personal information for specific, explicit, and lawful purposes only
- Only process personal information with the data subject’s consent
- Don’t keep personal information for longer than necessary
- Make it easy for personal information to stay accurate and updated
- Notify the registrar and appoint an information officer
- Protect the security and integrity of personal information
- Any 3rd party/operator must contractually comply
- You must be able to report on the data if asked to do so
- You can only send direct marketing messages if you have the consent of the data subject to do so
- You may request consent
- The data subject must opt-in to every channel
- Where the data subject has requested a change, or opts out of a particular channel, this request must be honoured immediately
While marketing via email and text requires an opt-in consent, the digital marketing world falls somewhat in a grey area. To determine whether you need the consent of consumers to serve personalised advertising, or not will depend on what it is you want to do. When it comes to personalised advertising, consent is not the only way to justify it. In the EU, many digital marketers use the ‘legitimate interest’ argument where the impact on consumers’ privacy is measured by the interests of the business. However, efficient data management by recording when, why, and how the information was collected, and that it was only used for the original purpose, will ensure you can demonstrate that your use of data is, or was, compliant.12
Communicating with customers
In terms of section 11 of the POPI Act, a consumer may either refuse to accept, pre-emptively block, or require another person to discontinue any communication which may be seen as direct marketing. This includes telephone calls, e-mails, brochures or letters in the mail. Businesses will need infrastructure and systems in place to receive and record consumers’ specific preferences and abide by these expressed preferences.13
The business risks
To ascertain your business’s compliance, in lieu of POPI or GDPR, an initial complete survey of the business’s current personal data processing activities should be carried out. This can include its data protection and privacy policies, notices, international data flows, agreements and templates, products and services using personal data, and advertising/marketing activities and operational protocols. Assess which of the existing procedures and policies are adequate, and which are lacking or absent.
Consider the following when reviewing these according to low, medium, and high-risk areas:14
- The risk of exposure – for example, is this a public-facing privacy notice?
- What category of fines this non-compliance falls under
- Whether there is a nonconformity that was already required under an earlier law
- What reputational concerns are at risk
- Whether something can be made compliant quickly
- Whether agreements with third parties or business operations are at risk
- Whether regulators have already signalled interest in particular areas or issues
When people think ‘big data’, they usually think of major online retailers or social media giants. However, organisations of all sizes and sectors are getting closer to their data to improve and personalise the customer experience. This often creates new opportunities, and can even transform entire industries. The UK’s NHS Business Services Authority utilised recent data that has helped improve patient care and save nearly £600 million.15
Optimising Customer Experience (CX) and increasing consumer trust through accurate data has shown to drive higher conversions of sales and bring more repeat customers. More than that though, increased data regulations now afford other opportunities, such as legal companies and startups that now offer services to help companies deal with compliance laws. The international business community, for example in Europe, prefers that South Africa should have privacy legislation in place before doing business. Local organisations with ambitious growth strategies should see POPI as a business opportunity. It would eradicate even more barriers erected by international governments for South African executives to successfully embark on doing business internationally.16
Another opportunity born from POPI and GDPR is the new career path of the data protection officer. This enterprise security leadership role is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements, and is required by the General Data Protection Regulation (GDPR).17
The assumption that regulations can be crafted slowly and deliberately, and then remain in place, unchanged, for long periods of time, is an impossibility in this ever-changing, machine-learning, AI age. As new business models, technology, and services continue to emerge, government agencies are challenged with creating or updating regulations, enforcing them, and communicating them to the public at a previously undreamed-of pace. And they must do this while working within legacy frameworks and attempting to foster innovation.
Businesses will need to take more responsibility for their behaviour and comply. It’s going to require legal, organisational and technical measures and there is no silver bullet or shortcut.
“There are two ways that you can see this: either data privacy is just another compliancy issue, and you do what you need to in order to protect your business against legal action; or you realise that your business needs legislation like GDPR and POPI in order to survive and even thrive. Obviously, the latter is the stronger of the two approaches,” says Professor Taylor.18
Based on the above, it’s clear that professionals who wish to remain relevant in today’s dynamic, data-based business environment need to understand compliance, and at the very minimum, how it affects their industry and clientbase. Because of this, many are choosing to explore compliance management courses in order to gain up-to-date knowledge in legislation, as well as the ability to identify compliance risks and opportunities in their organisation.
- 1 Eggers, W. (Jun, 2018). ‘The future of regulation’. Retrieved from Deloitte.
- 2 Ramdhany, S. (Nd). ‘PoPI and GDPR: Data regulation and compliance is an opportunity for business’. Retrieved from Oracle.
- 3 (Jul, 2017). ‘GDPR or POPI’. Retrieved from ITWeb.
- 4 Tollefson, B. (Oct, 2018). ‘Ignoring the EU’s GDPR entirely is a perilous risk few non-EU companies can take.’ Retrieved from Financier Worldwide.
- 5 Ramdhany, S. (Nd). ‘PoPI and GDPR: Data regulation and compliance is an opportunity for business’. Retrieved from Oracle.
- 6 Ramdhany, S. (Nd). ‘PoPI and GDPR: Data regulation and compliance is an opportunity for business’. Retrieved from Oracle.
- 7 (Nd). ‘The Impact Of The EU GDPR On Hong Kong Businesses’. Retrieved from Ashford-Benjamin.
- 8 (2018). ‘Singapore companies: 10 Steps to being GDPR compliant’. Retrieved from Guide Me Singapore.
- 9 (Nd). ‘The Impact Of The EU GDPR On Hong Kong Businesses’. Retrieved from Ashford-Benjamin.
- 10 (Jul, 2014). ‘How POPI affects Email Marketing’. Retrieved from Blue Magnet.
- 11 (2013). ‘Act 4 of 2013: The POPI Act’. Retrieved from Legislation.
- 12 (Jul, 2018). ‘How Will the GDPR Affect Your Digital Marketing Campaigns?’ Retrieved from Everlytic.
- 13 Stretch, C. (Jan, 2014). ‘How do POPI and the Consumer Protection Act impact on my customer database?’ Retrieved from Entrepreneur Magazine.
- 14 Tollefson, B. (Oct, 2018). ‘Ignoring the EU’s GDPR entirely is a perilous risk few non-EU companies can take.’ Retrieved from Financier Worldwide.
- 15 Ramdhany, S. (Nd). ‘PoPI and GDPR: Data regulation and compliance is an opportunity for business’. Retrieved from Oracle.
- 16 Cameron, J. (Mar, 2014). ‘Popi: Plenty of costs, moneymaking opportunities in SA’s new privacy laws’. Retrieved from BizNews.
- 17 Lord, N. (Sep, 2018). ‘What is a Data Protection Officer (DPO)? Learn About the New Role Required for GDPR Compliance’. Retrieved from Digital Guardian.
- 18 (Jul, 2017). ‘GDPR or POPI’. Retrieved from ITWeb.