Nowhere is the impact of the digital revolution greater, or its potential implications …more profound, than when it intersects with our expectations concerning what people know about us and how that information is used – in short, our privacyAdkinson WF, Eisenach JA and Lenard TM “Privacy online: a report on the information practices and policies of commercial websites”
The Internet has brought with it many new ways for people to interact, communicate, and transact with one another. Information is the lifeblood of the digital economy and nowhere are the implications of this revolution felt more than in the realm of our privacy.
The advent of electronic communication has led to enormous abuses of personal information which includes the use of personal information to perpetrate frauds, in electronic banking, credit card transactions, and other commercially-related fraudulent activity. Data subjects are flooded with unsolicited electronic communications (SPAM) in which they want no interaction from and this is one of the abuses of personal information.
In this article, I will be discussing the right to privacy, consumer concerns, legal measures enforced to protect this right, and how businesses can lawfully process data without breaching the data protection laws.
THE RIGHT TO PRIVACY AND CONCERNS
Direct marketing has several advantages to name a few, the increasing power of information processing technology has made a collection of customer information easy and affordable for direct marketers, it has made marketing more accountable and it prevents clutter allowing direct communications to be cost-effective.
Direct marketers rely on their databases for communication which stores consumer’s personal information. Consumers are growing increasingly aware that their information may be used without their knowledge and consent. It poses a threat of infringement to the right to privacy and as a result, countries introduced legislation and regulations to protect this right.
In order to understand what this means in the context of direct marketing, it is important to start off with key definitions, the right to privacy, privacy concerns, and laws regulating data processing and protection.
Definitions of data protection laws
The General Data Protection Regulation (GDPR) provides the definition of personal data which is defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Consumer Protection Act, 2008 defines the term direct marketing in terms of section 1 as to approach a person, either in person or by mail or electronic communication, for the direct or indirect purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the person; or requesting the person to make a donation of any kind for any reason.
A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. These definitions can be found in Article 4 of the GDPR.
The Personal Protection and Information Act, 2013 (POPI) defines a responsible party as a party who determines the purpose of and means for processing personal information. This decision may be made alone or in conjunction with another party.
The right to privacy, data privacy and concerns
The right to privacy is protected by the Constitution, common law, and data protection laws such as the GDPR and POPI. The Constitution protects the right to privacy in terms of section 14 which provides: Everyone has the right to privacy, which includes the right not to have their person or home searched; their property searched; their possession seized, or the privacy of their communications infringed.
Obtaining consent, avoiding bias, the use of data, potential for abuse/misuse of data, and storing data securely are some of the key concerns with data collection and processing. Data breaches are on the rise and consumers are concerned about their personal information being misused or leaked on the net.
The need for data protection has become of paramount importance and has led to the introduction of data protection laws. It provides protection for consumers personal data in the context of data collection and processing and it gives a consumer more control over their personal data.
HOW TO PROCESS/COLLECT DATA LAWFULLY – DATA PROTECTION LAWS
Depending on your location and where data is processed different data protection laws applies.
The European Union introduced the General Data Protection Regulation which provides data privacy protection. It applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. What this means that almost every major corporation in the world needs to be GPDR compliant. In other words, if any entity is offering goods and services to EU citizens or monitoring their behaviour they will be required to comply with the GDPR.
The GDPR places an obligation on data controllers to process data responsibly, including to store data securely and legal liability. It sets out seven principles that data controllers must comply with. They are as follows:
- Lawfulness, fairness, and transparency: staying within the law, and being open and honest about the way you use data.
- Purpose limitation: only using data for the specified purpose it is collected.
- Data minimization: only collecting and storing the data you absolutely need.
- Accuracy: making sure your data is correct and up to date, and allowing people to update their data if it is wrong.
- Storage limitation: keeping identifiable data for a limited time only.
- Integrity and confidentiality (security): keeping data securely, and only allowing access to the people who need it.
- Accountability: if you collect and store data, you must be able to demonstrate that you comply with the law
Every business that processes data must ensure that these principles are adhered to in order to avoid legal liability.
POPI is quite similar to the EU GDPR. It applies to data processors or responsible parties who are either domiciled in the Republic of South Africa or who are domiciled elsewhere but “makes use of automated or non-automated means” in South Africa.
The purpose of POPI is to protect personal information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed. The Act commenced on 1 July 2020, it is important that companies are POPI compliant now, rather than later. There is a 12-month grace period after the commencement date.
The Act provides 8 principles a responsible party must comply with:
- Accountability: Ensure that all that you comply with and adhere to all 8 principles of POPI.
- Processing limitations: Personal information may only be processed in a fair and lawful manner, and only with the consent of the data subject.
- Purpose specification: Personal information may only be processed for specific and lawful purposes. Steps must be taken to ensure that the data subject knows the purpose for which the data is being collected.
- Further Processing information: Personal information may not be processed for a further purpose unless that processing is compatible with the initial purpose.
- Information Quality: Take reasonable steps to ensure the information is reliable and accurate.
- Openness: The data subject whose information you are collecting must be aware that you are collecting such personal information. The responsible party must maintain all documentation.
- Security safeguards: Take reasonable steps to ensure personal information is kept secure against the risk of loss, unauthorised access, interference, modification, destruction, and disclosure.
- Data subject participation: Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them.
It is noteworthy that section 45 of the Electronic Communications Act, 2005 will be repealed when the POPI is enforced. The POPI requires the responsible party to be transparent about processing information and allowing the data subject to participate in how their information gets processed. It is important for a responsible party to raise awareness of the POPI in the organization, planning on the protection of data subjects as well as implement changes if not compliant with the POPI.
To recap: process data lawfully by complying with data protection laws, protect the right to privacy!
Data protection laws have provided mechanisms to ensure a consumer’s right to privacy is protected. What this means for businesses or anyone else processing personal information is to comply with these laws and regulations to avoid legal liability. It is best practice to ensure that a consumer’s personal data is protected and respected. Always bear in mind the ethical and legal considerations when processing personal data.
Thanks for reading, I hope you found this blog post useful.
Feel free to share this post, click on social icons below to share.