Data Protection Laws: Implications for Expansion into Africa

Increased digitization and emerging technologies, such as Artificial Intelligence, Machine Learning, and Blockchain have relied on and have fuelled an exponential growth in data as we step into what has been dubbed the ‘Data Age’.

But, what does data actually mean? Data can be thought of as information that has been translated into a form that is efficient for movement or processing, generally through the use of computers. While the Data Age has led to exciting new technologies and advancements in the way we work, the increased collection and use of data has lead to increased security issues and concerns for individuals, organisations and nations. Many countries have subsequently scrambled to implement some kind of data protection and privacy act. African countries, such as Ghana, Kenya and South Africa have followed this trend.

Data protection laws are necessary to protect data subjects from harm, however, it has required corporate executives together with Legal, IT and HR professionals to adapt the way they collect and use data. Using South Africa’s POPIA act as an example, this article breaks down some of the data security considerations for organisations expanding into Africa.

What is the POPIA’s main purpose?

South Africa implemented the Protection of Personal Information Act (POPIA) in 2020, which details the conditions for responsible partners to process data (particularly personal data). This new Act aims to protect individual’s right to privacy to give them control over how their data is collected, recorded, used and shared. The act focuses on protecting data regarding individual’s identity, for instance, their identity number, contact information, medical history or financial data.

How does this act impact organisations expanding into Africa?

Organisation considering hiring an employee or expanding into South Africa, must understand how POPIA can impact the way they process people’s data. POPIA places the onus on employers and the Legal, IT and HR departments within an organisation to ensure that all personal data is used and stored securely. Thus, these leaders need to be committed to taking the requisite steps to remain compliant with POPIA.

Should an organisation not adhere to POPIA, they place themselves at financial and legal risk, potentially being liable to civil damage claims or given hefty fines (up to 10 million South African Rand!). Further, it may lead to significant reputational damage to the company, which may negatively impact their customer’s perception of them, and their ability to attract talent in the workforce.

How do organisations ensure compliance with the Protection of Personal Information Act?

Ensuring compliance with the Protection of Personal Information Act can be quite complex. Given the negative implications of non-compliance, taking the appropriate steps to ensure data security must be prioritised by organisations. Here are some considerations for organisations when implementing data protection measures in South Africa.

1.     Create a data security policy

Have you established a policy to deal with threats to the protection of personal information?

The first step of ensuring compliance to POPIA is to establish a robust IT security policy, encompassing any risks (physical and cyber) to data leaks within the system.

Physical security of hardware (e.g. laptops, equipment and hard drives) is a serious concern throughout the African continent, as numerous societal and economic factors lead many individuals to criminal behaviour. Thus, an organisation needs to prioritise the physical protection of their equipment, should they be expanding into a country like South Africa.

No longer are threats to security purely in the physical world, as organisations now need to account for ‘cyber threats’ too. Cyber threats describe a malicious act to damage or steal data from organisations. Given the ‘post-Covid’ world and increasingly remote ways of working, organisations now need to ensure that data is safe when employees are working in remote locations. This is particularly relevant if an organisation is considering expansion to South Africa or hiring members of the South African workforce.

A policy that allows individuals to identify risks to personal information in the system, and report them appropriately, is important to uphold data privacy. When considering expansion, it is crucial for organisations to ensure that they are getting the most accurate information, advice and action plans to establish data security (e.g. installing robust firewalls, secure passwords and anti-spam software). Thus, it becomes important to partner with experts in local law (such as data protection laws), as well as experts in data and cybersecurity in the difffernet localities.

2.     Encourage employee buy-in

Are your employees equipped to ensure data security?

While the responsibility to implement data protection laws (e.g. POPIA) falls on the employer and HR/IT/Legal department representatives, employees have to realise the role they play in maintaining data security and take accountability for this role.

Employee buy-in can be a tough ask, particularly if it requires them to engage in more manual tasks (e.g. ensuring to save files to a protected folder, setting passwords etc.). Onboarding a global workforce may make this more difficult, as employers have to account for different ways of work and cultural nuances in how safety is perceived. However, leadership can play an integral role in changing employees’ data security behaviours. By creating a shared understanding of the importance of data security through role modelling processes and upskilling employees with the required knowledge and skills to inform ‘safe’ behaviours, leaders are likely to see greater employee-buy in. Most importantly, leaders need to ensure these behaviours are embedded in employees’ ways of work, rather than fading after a few weeks. Perhaps leaders could send ‘best practice’ tips or new information monthly and employees could be encouraged to continually attend ‘refresher’ trainings.

3.     Have a plan for how data will be processed

Why are we collecting this data?

Given the value data now carries, many organisations may want to acquire as much data as possible to inform insights into their customers and subsequent business strategies. However, more is not always better, and increased data leads to increased risk of data leaks and threat to the organisation.

When collecting data, organisations need to be very clear on what data is being processed and for what purpose. Data protection laws, such as POPIA, require organisations to only collect data that has a clear purpose, and to only keep it for as long as it is needed by the organisation. Thus, once the data has been processed, it needs to be destroyed securely to prevent increased risks of data leaks. 

4.     Always ask for informed consent

Do the data subjects approve of how their data will be processed?

Before collecting any form of personal data from individuals (or data subjects), be it an organisation’s employees or clients, it is essential to inform them (in written or verbal format) as to the purpose of the data collection, who will have access to the data, what it will be used for, and how it will be kept secure.

Based on this information, the data subjects need to be given the chance to provide their consent for their data to be processed. Given that South Africa has 11 official languages, it is important that organisations ensure that their subjects understand what data is being collected and why. Without such understanding, data subjects are unable to provide informed consent. This is an opportunity for organisations to build trust with their subjects, as being honest and transparent regarding the intent of data collection and embedding dedicated safety measures indicates that an organisation values individuals’ rights and privacy. Should an organisation breach this trust, it may impact the organisation’s reputation for customers and employees.

Compliance with POPIA seems hard? Not with Africa HR Solutions!

As organisations look to expand globally, compliance with African data protection laws (e.g. POPIA in South Africa) may seem like an impossible task. Partnering with an ally who understands the nuances of data protection laws within the different African countries, and how these may affect organisations, is essential in remaining compliant. A reliable Employer of Record with a proven track record, such as Africa HR Solutions, is able to provide accurate and relevant recommendations to ensure peace of mind as you set up a global organisation. Not only does such a partnership ensure compliance with different African countries’ data protection laws, but we help you to establish appropriate systems to prevent the financial and legal risks that arise as a result of data breaches.

If you wish to learn more about how Africa HR Solutions can assist you with your organisation’s expansion into or across Africa, be sure to contact us at any time!

Table of Contents