I am a digital citizen. The Internet has been part of my work space since my first job. I spend a good portion of my life online: working, chatting, collaborating, shopping, banking and reading. Every time I complete a website registration, accept a cookie or sign up for a service, I am trusting my digital identity to an entity which may or may not have proper data protection policies. As trusting consumers, we tend to expect that the major brands in banking, healthcare, telecoms and e-commerce have a data protection charter to which the organisation’s employees, partners and suppliers adhere.
A passing mention of data privacy in the website terms and conditions is not enough
A company’s data protection policies must set down comprehensive guidelines for how data is gathered, shared, processed and stored. It should keep the rights to access and control personal data firmly in the hands of the data subject, namely you and me, as well as spell out an emergency plan in the event of a data breach.
But at the point where something goes really wrong – an internal company charter is not a legal obligation… unless it can be proven the company did not comply with the appropriate data privacy legislation. Which is why digital citizens should be pushing for full enactment of the Protection of Personal Information Act (PoPI) Although parts of the Act have been ‘activated’ – PoPi won’t provide recourse for a consumer whose personal information has been compromised until the full Act is in play and the grace period is over If a company breaches your trust by sharing, publishing or using your information without consent – you can take to social media to make a stink; you can write a strongly-worded letter to the CEO; you can even sue for personal damages if you have suffered provable loss. But until the POPI Act is enforced, the company is potentially only guilty of an ethically bad thing, but not a legally bad thing. The Act adds legal and financial consequences to the fear of reputational damage when PoPi commences.
PoPi will not dissuade spammers or scammers.
The Act is not going to make fraudsters rethink their nefarious plans – criminals by their nature work to undermine the law. But it will dissuade a legitimate organisation that holds your personal information from treating data security casually as they will be responsible, by order of legislation, for implementing data protection policies and processes as well as training and policing their employees and third party providers. What’s puzzling is that SA’s digital-savvy citizens are not actively pushing for the Act to be fully enabled.
We’re merrily sharing our ‘precious goods’ with all sorts of suppliers, websites and social media, without adequate protection of our digital identities. The POPI Act makes it our legislated right to expect that a company gathering, processing and storing our data, must do so with the appropriate level of care and consent.