Privacy by design a key factor in data protection

Christopher Tredger
By Christopher Tredger, Portals editor
Johannesburg, 14 Mar 2024
From left: Janine West, NTT; Lucien Pierce, PPM Attorneys; Dr Sizwe Gwala, Absa, Ahmore Burger-Smidt, Werksmans Attorneys; and Bongani Matshika, Standard Bank.
From left: Janine West, NTT; Lucien Pierce, PPM Attorneys; Dr Sizwe Gwala, Absa, Ahmore Burger-Smidt, Werksmans Attorneys; and Bongani Matshika, Standard Bank.

The adoption of data protection measures, including privacy by design, has been growing  among enterprises in South Africa. However, small and medium-sized enterprises (SMEs) face particular challenges due to limited resources and expertise. However, regardless of size, every business must strengthen their capacity to safeguard data.

This was the framework for a panel discussion at ITWeb's BI Summit 2024 yesterday. The session, chaired by Janine West, director of data privacy and protection at NTT, delved into the intersection of legal frameworks and technological advancements in data protection and privacy.

Developments referenced included how South Africa’s POPIA compares to laws used abroad, such as Europe’s GDPR.

Panellist Lucien Pierce, director, PPM Attorneys, said it is important that South Africa is aware of international best practices in data protection and the global ‘gold standard’ in legislation and regulation,” said Pierce.

Ahmore Burger-Smidt, director, head of regulatory practice, Werksmans Attorneys, highlighted the differences between data sovereignty, data localisation and data jurisdiction.

“I think there we are confronted with a lot of confusing concepts. Data privacy legislation is actually concise, but there are rabbit holes that you can fall into in applying and interpreting the legislation, which makes it very complicated,” she says.

Burger-Smidt believes that privacy responsibilities should be entrusted to the legal function within an organisation. This is due to the proliferation of legislation globally, necessitating management and alignment, which in turn underscores the importance of localisation.

“We see this especially in Africa, the desire to implement localisation in terms of the data privacy legislation. What that means is the data that we process within a jurisdiction will be held in that jurisdiction, so there is no opportunity for cloud storage outside of the jurisdiction – everything must be held within the bounds of the country. That gives a completely different spin on how you deal with and process personal information.”

Protection by design

The panel highlighted the challenge of securing management buy-in when it comes to justifying investment in data protection solutions.

This is often due to how the organisation is structured in terms of team location and level of interaction.

Bongani Matshika, data privacy specialist at Standard Bank, said it is critical to include management from the beginning of the process. “A top-down approach is the best to implement privacy policy and technology across the organisation,” he said.

He added that many organisations still operate in silos when it comes to integrating privacy by design innovation and policy implementation. This disjointed approach often results in a misalignment between innovation and regulatory compliance.

West concurred, noting that privacy discussions are often excluded from corporate strategy deliberations, which ideally should be the primary forum for such discussions. It's crucial to involve all teams to ensure compliance at every stage, but this is often seen as ‘red tape’.

 South Africa’s struggle with data breaches and their legal

consequences, the panellists reached consensus on the need to get the basics right, including the ‘people factor’ and the growing need for digital literacy.