Privacy is something we all value. We all like to have control over which information people know about us, for two reasons. Firstly, privacy makes us human. We define our relationships with other human beings in terms of the information we share with them, and that unique, personal information distinguishes us from (more and more intelligent) machines. Secondly, privacy gives us power. We want to be in the driving seat on the journey of our own lives, and don’t want people (or machines) to use what they know about us against us.
If private information is what makes us unique, free and autonomous individuals, and that information is incessantly harvested, analysed, categorised, appropriated, traded and used for all kinds of purposes we have no control over and are hardly even aware of, then exactly what is it that remains of our individuality, autonomy and humanity?
As part of worldwide initiatives that try and get control back over our private information, data protection regulation has an important role to play by setting out conditions for processing personal data. In line with South Africa’s international obligation to enforce data protection, its Protection of Personal Information Act (“POPIA”) does exactly that. It does not squarely prohibit the collection and usage of information. As a matter of fact, POPIA explicitly recognises that “the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information”. But in the same breath, it subjects the flow of information to eight conditions that aim to give back control over that information to the people (and companies) the information relates to.
The legal fraternity will be keen to mention the investigative, administrative, conciliatory, criminal and civil procedures that may be lodged against you by the Information Regulator in terms of sections 73-109 of POPIA – for not complying with POPIA’s conditions for lawful processing of personal information, for not cooperating with the Information Regulator, or for the harm this has caused.
Firstly as part of their own compliance requirements, companies within your supply or service chain need to ensure that the companies they work with are POPIA compliant. As a start, you would do well to require the companies you work with to be POPIA compliant – especially if they share personal information about third parties with you, or you share this information with them. Secondly your customer reputation and trust is at stake. A blatant disrespect of people’s privacy, or a malicious data breach that could have been prevented, harm your company’s reputation and consumer trust in ways that may be hard to justify or rectify in the context of today’s privacy sensitive information society. And thirdly, good quality, well organised and well secured personal data about your customers or suppliers is a great asset for your business, and raises its market value.