What does GDPR's track record so far tell us about the likely impact of POPIA?
As we launch into 2019, it seems a good time to ask: has there been a material, visible impact since the launch of the GDPR – the European Union’s much anticipated, and mildly feared, new data privacy regulations?
The short answer is yes. EU watchdogs have received more complaints from the public, data breach reports are on the rise and precedents are being set through a number of sanctions on companies for non-compliant practices. All of this has been communicated by regulators and commentators in a steady stream of insights into the impact of this law.
Also interesting to consider, is whether the impact of the GDPR provides insight into what South Africans can expect from the Protection of Personal Information Act (POPIA), once it is fully enacted.
Communication by regulators
While the sheer amount of information in circulation running up to GPDR was impressive, the communication and guidance still coming from certain regulators post enforcement, is outstanding.
Specifically, the UK’s Information Commissioner’s Office (ICO), publishes information and practical guidance on all aspects of GDPR, including how businesses should apply the requirements and how the regulations help consumers. This is not only a one way flow of information, the ICO encourages engagement through requests for comments and feedback via their website; a resource that is informative for both business and consumers.
Making this information so readily available has numerous benefits, not least that GPDR stays top of mind for business, but importantly, that a spotlight is directed on any grey areas in the regulations – removing any perceived loopholes and clearing up misconceptions.
To date, the communication from the South African Information Regulator has been sparse.
Basic information and key documents can be found on the DOJ’s Inforeg website, but when it comes to keeping the public interested and informed, the Regulator has yet to establish a decent flow of information and guidance. Possibly, this will become a priority once the regulations are finalized and the Act is fully enacted.
Data subject complaints have increased
Both GDPR and POPIA make specific provisions around the consumers’ right to control what is done with their own information and provide guidance on recourse, should an individual believe that his/her personal data is being abused by an organization.
Complaints from members of the UK public, covering issues related to personal data, portability and security, more than doubled in the 6 months following GDPR enforcement. According to the UK Information Commissioner, their “frontline services have jumped by at least 100 percent.”
Assuming the South African Regulator makes reporting by data subjects as accessible as their European counterparts have, we should expect the same increase in consumer complaints. Achieving this level of engagement, however, will require a significant change in strategy from the Regulator, whose communication to date has been less of a dialogue and more of a broadcast.
Data breach reports
Reports of actual or potential data breaches have also increased.
According to Information Security Media Group, the increase in data breach reports filed since GDPR went into effect is significant: 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K.
This is not necessarily an indication of more data breaches; rather it’s a result of the GDPR’s data breach reporting requirement, which stipulates that certain data breaches must be reported to the relevant authority within 72 hours of becoming aware of the problem.
It remains to be seen whether the South African Regulator will be successful in creating the infrastructure and resources required to deal with data breach reports in a manner that reduces the adverse impacts of a breach and assists both consumers and organizations in responding appropriately.
Sanctions for non-compliance
Data privacy regulations will only be effective if the regulators are stringent in ensuring that organizations are compliant, and respond with material consequences on those that aren’t. The UK’s ICO, however, has publicly stated that its approach would tend towards being supportive and advising organizations on compliance, rather than policing adherence and acting punitively.
By late December, just three nations had made public fines under the EU regulations. The UK’s first enforcement under the new regime, meanwhile, fell flat, after the Canadian business involved successfully appealed the order.
The Information Regulator in South Africa published the final POPI regulations on 14 December 2018. Before the regulator can show its mettle, however, the POPI Act will need to be fully enacted via an announcement in the Government Gazette. Once a commencement date is published, it is widely believed that businesses will have a grace period in which to work towards compliance.
Without a doubt, the impact of the GDPR has been a positive one. It’s impossible to know whether the regulations have reduced the number of breaches, but it’s absolutely clear that increased reporting, visibility and transparency from companies dealing with confidential information is a giant step in the right direction.
We can only hope that the South African Information Regulator is taking notes from all the learnings coming out of the EU and aiming for a bigger, better impact once POPI is enforced.
Partner with a digital specialist that understands data privacy and the associated regulations.
Did you enjoy the read? Then be sure to subscribe to our blog to receive more great posts from our expert bloggers.