Increased digitization and emerging technologies, such as Artificial Intelligence, Machine Learning, and Blockchain have relied on and have fuelled an exponential growth in data as we step into what has been dubbed the ‘Data Age’.
But, what does data actually mean? Data can be thought of as information that has been translated into a form that is efficient for movement or processing, generally through the use of computers. While the Data Age has led to exciting new technologies and advancements in the way we work, the increased collection and use of data has lead to increased security issues and concerns for individuals, organisations and nations. Many countries have subsequently scrambled to implement some kind of data protection and privacy act. African countries, such as Ghana, Kenya and South Africa have followed this trend.
Data protection laws are necessary to protect data subjects from harm, however, it has required corporate executives together with Legal, IT and HR professionals to adapt the way they collect and use data. Using South Africa’s POPIA act as an example, this article breaks down some of the data security considerations for organisations expanding into Africa.
South Africa implemented the Protection of Personal Information Act (POPIA) in 2020, which details the conditions for responsible partners to process data (particularly personal data). This new Act aims to protect individual’s right to privacy to give them control over how their data is collected, recorded, used and shared. The act focuses on protecting data regarding individual’s identity, for instance, their identity number, contact information, medical history or financial data.
Organisation considering hiring an employee or expanding into South Africa, must understand how POPIA can impact the way they process people’s data. POPIA places the onus on employers and the Legal, IT and HR departments within an organisation to ensure that all personal data is used and stored securely. Thus, these leaders need to be committed to taking the requisite steps to remain compliant with POPIA.
Should an organisation not adhere to POPIA, they place themselves at financial and legal risk, potentially being liable to civil damage claims or given hefty fines (up to 10 million South African Rand!). Further, it may lead to significant reputational damage to the company, which may negatively impact their customer’s perception of them, and their ability to attract talent in the workforce.
Ensuring compliance with the Protection of Personal Information Act can be quite complex. Given the negative implications of non-compliance, taking the appropriate steps to ensure data security must be prioritised by organisations. Here are some considerations for organisations when implementing data protection measures in South Africa.
Have you established a policy to deal with threats to the protection of personal information?
The first step of ensuring compliance to POPIA is to establish a robust IT security policy, encompassing any risks (physical and cyber) to data leaks within the system.
Physical security of hardware (e.g. laptops, equipment and hard drives) is a serious concern throughout the African continent, as numerous societal and economic factors lead many individuals to criminal behaviour. Thus, an organisation needs to prioritise the physical protection of their equipment, should they be expanding into a country like South Africa.
No longer are threats to security purely in the physical world, as organisations now need to account for ‘cyber threats’ too. Cyber threats describe a malicious act to damage or steal data from organisations. Given the ‘post-Covid’ world and increasingly remote ways of working, organisations now need to ensure that data is safe when employees are working in remote locations. This is particularly relevant if an organisation is considering expansion to South Africa or hiring members of the South African workforce.
A policy that allows individuals to identify risks to personal information in the system, and report them appropriately, is important to uphold data privacy. When considering expansion, it is crucial for organisations to ensure that they are getting the most accurate information, advice and action plans to establish data security (e.g. installing robust firewalls, secure passwords and anti-spam software). Thus, it becomes important to partner with experts in local law (such as data protection laws), as well as experts in data and cybersecurity in the difffernet localities.
Are your employees equipped to ensure data security?
While the responsibility to implement data protection laws (e.g. POPIA) falls on the employer and HR/IT/Legal department representatives, employees have to realise the role they play in maintaining data security and take accountability for this role.
Employee buy-in can be a tough ask, particularly if it requires them to engage in more manual tasks (e.g. ensuring to save files to a protected folder, setting passwords etc.). Onboarding a global workforce may make this more difficult, as employers have to account for different ways of work and cultural nuances in how safety is perceived. However, leadership can play an integral role in changing employees’ data security behaviours. By creating a shared understanding of the importance of data security through role modelling processes and upskilling employees with the required knowledge and skills to inform ‘safe’ behaviours, leaders are likely to see greater employee-buy in. Most importantly, leaders need to ensure these behaviours are embedded in employees’ ways of work, rather than fading after a few weeks. Perhaps leaders could send ‘best practice’ tips or new information monthly and employees could be encouraged to continually attend ‘refresher’ trainings.
Why are we collecting this data?
Given the value data now carries, many organisations may want to acquire as much data as possible to inform insights into their customers and subsequent business strategies. However, more is not always better, and increased data leads to increased risk of data leaks and threat to the organisation.
When collecting data, organisations need to be very clear on what data is being processed and for what purpose. Data protection laws, such as POPIA, require organisations to only collect data that has a clear purpose, and to only keep it for as long as it is needed by the organisation. Thus, once the data has been processed, it needs to be destroyed securely to prevent increased risks of data leaks.
Do the data subjects approve of how their data will be processed?
Before collecting any form of personal data from individuals (or data subjects), be it an organisation’s employees or clients, it is essential to inform them (in written or verbal format) as to the purpose of the data collection, who will have access to the data, what it will be used for, and how it will be kept secure.
Based on this information, the data subjects need to be given the chance to provide their consent for their data to be processed. Given that South Africa has 11 official languages, it is important that organisations ensure that their subjects understand what data is being collected and why. Without such understanding, data subjects are unable to provide informed consent. This is an opportunity for organisations to build trust with their subjects, as being honest and transparent regarding the intent of data collection and embedding dedicated safety measures indicates that an organisation values individuals’ rights and privacy. Should an organisation breach this trust, it may impact the organisation’s reputation for customers and employees.
As organisations look to expand globally, compliance with African data protection laws (e.g. POPIA in South Africa) may seem like an impossible task. Partnering with an ally who understands the nuances of data protection laws within the different African countries, and how these may affect organisations, is essential in remaining compliant. A reliable Employer of Record with a proven track record, such as Africa HR Solutions, is able to provide accurate and relevant recommendations to ensure peace of mind as you set up a global organisation. Not only does such a partnership ensure compliance with different African countries’ data protection laws, but we help you to establish appropriate systems to prevent the financial and legal risks that arise as a result of data breaches.
If you wish to learn more about how Africa HR Solutions can assist you with your organisation’s expansion into or across Africa, be sure to contact us at any time!
Kevina Takoordyal has a BA Hons Business Management from the University of Glamorgan, UK, with MBA in leadership and Innovation, MBA General, PMP Certified, and Agile Scrum Master. She currently works as the Head of Operations at Africa HR Solutions Ltd with more than 20 years of proven leadership capabilities in Operations, Business Development, People Management, Process Optimization, and Project Management in the Financial Services, BPO, Banking Industry, and Heath Care Industry. In Senior leadership roles with an international footprint across Europe working and extensive Pan- African experience from a compliance, finance, and operations angle, Kevina comes across with a panoply of cross-functional skills. Kevina also serves on a few Boards, Non-Independent Executive at MioD and for NGOs on a voluntary basis, a coach and mentor to aspiring female leaders across Africa and Mauritius.
Kevina is a firm believer in Servant Leadership with a strong focus and commitment to uplifting others, with the ability to deliver through a highly engaged – diverse team, and works towards consistently synergistic value creation. While being a focused and adaptive thinker and Kevina is actively participating in panel discussions on Innovation, CX, Digital transformation.
Kevina serves as Project Assessor for the National Youth upskilling program. She has been recognized as Global Talent in a few companies, Ceridian, and International SOS Ltd whereby she has been awarded a few scholarships and had the opportunity to be mentored by Senior Vice President in the US. Award Winner in various fields and at a national level and recognized including Super Achiever Leader Award in Africa in 2016, Awarded Africa Women Leader 2018.
A qualified lawyer who joined Africa HR Solutions in July 2020, Mark Du Preez has experience working in private practice for a reputable law firm in South Africa. He also played commercially focused roles at a leading private bank, wealth management company, and outsourcing firm in South Africa and Mauritius.
Mark has played a pivotal role in Africa HR Solution’s risk mitigation strategy, which positively impacted P&L performance over the years.
He currently leads the Partnerships function of the company including relationships and oversight with in-country partners (ICPs) across Africa.
Alex has more than 15 years of experience in the global, strategic development of both enterprise and consumer brands in categories including technology, transport, enterprise software, entertainment, and travel.
With experience in roles on both agency and corporate side, he has worked across international brands and has led the development and execution of multi-discipline campaigns across EMEA, NORAM and Asia Pacific.
His focus is on driving meaningful business impact through brand differentiation and building high-functioning, digitally oriented, and analytically driven capabilities. He is motivated by working with, and developing dynamic people, teams, and organizations.
He leads, manages, develops and mentors the Key Account Management department, including line management responsibility for the team of Key Account Managers and Key Account Administrator who represent the Company as the primary communication link between all relevant stakeholders, including clients, third party in-country partners and internal functions.
Originally from Mauritius, he holds bachelor’s degrees in International Business, Finance and Management from the University of Nevada, Reno.