Legal View

Unintended consequences of POPI, GDPR

Kevin Phillips.
Kevin Phillips.

It feels like it is one step forward and two steps back at the moment. Yes, we've beefed up the protection of personal identification data with the Protection of Personal Information (POPI) Act (POPI) in South Africa, as well as its big brother, the European Union's General Data Protection Regulation (GDPR).

But I'm wondering what that means for ongoing digitalisation and innovation, as we disrupt our businesses and markets to ensure we survive in the fourth industrial age. At the heart of much of this innovation lies data, and I'm wondering if POPI and GDPR might be cutting off, or at least severely curtailing, this lifeblood.

A crucial part of business transformation is tapping into the massive amount of data we have from customers, our internal business operations, and the multitude of devices that connect on our behalf without us even thinking about it.

Look at Uber, the poster child for disruption of an established business model. It uses location data to link drivers with fares, and pricing and traffic algorithms to set the price for the trip. And many (most?) of us, especially millennials, are more than happy to share our personal identification data (in this case, location and credit card details), with services that give us value in return.

These laws appear to be taking a sledgehammer to the fact that we "pay" for services such as Facebook with our data, and that many of these digital services rely on our, and others', data to work their magic. Organisations absolutely should be transparent and ethical with how our data is stored and used, and which third parties have access to it. But I am worried we have gone too far in the other direction.

Certainly, if you do not like Facebook's use of your data, you can delete your Facebook profile and not use the social media platform. (The company is researching the option for a subscription-based, ads-free option, but I have my doubts over what the uptake would be.) But, take for instance my car insurance, which includes vehicle tracking to monitor my driving, reward me for good, safe driving habits, and also sending out emergency services to me and my car in case of an accident or breakdown. If I were to withhold my geolocation data, as I could do under the GDPR, it would be impossible to offer me this service, which is unquestionably of benefit to me.

These laws appear to be taking a sledgehammer to the fact that we "pay" for services such as Facebook with our data.

Another example. There is no doubt that smartphone-based traffic information services such as Google Maps and Waze have made navigating cities at rush hour less of a chore. Yet services like these rely on a community willing to share their location data. The more data, the better the service, and conversely, the sparser the data, the less helpful the service, until, if everyone opts out, the service fails.

Although the GDPR is EU legislation, you'll have noticed the flurry of updated terms and conditions when it launched in May. It goes to show how borderless the digital world is, as it affects South African companies that have European customers, newsletter subscribers, or shareholders, as Liberty Holdings may find out after its June hack. And with the US, Australia and India already indicating they will follow the European Union's lead, there is no doubt this will soon be the global standard.

There are a couple of rights the GDPR grants individuals that I am specifically concerned about in terms of our data-driven future. Notably the right to have all or some of your personal identification data erased; the right to request a company stop processing your data; and finally, the right to ask for manual, not automatic processing.

How does this synch with a data-driven world where insights about our individual and collective data drive progress and a better life? With quantum leaps forward in computer processing power just around the corner, I wonder what life-improving discoveries are going to be made by data-crunching algorithms that we can't even dream about today.

Yes, some of these are likely to be better ways to sell us stuff, but others could be breakthroughs in medicine, or climate change, or smarter cities or smarter apps making our lives easier.

We need to be careful about hamstringing our digital future, before we've even got there, and unfortunately current legislation, if applied to the letter of the law, may well be doing just that!

Kevin Phillips
Founder and CEO of IDU Holdings.

Kevin Phillips is founder and CEO of IDU Holdings. He has degrees in commerce and accounting, and started IDU with partners James Smith and Wayne Claassen in 1998. He is fast becoming a thought leader in his field, and regularly comments in the media on current affairs affecting business, as well as accounting, finance, budgeting and software. Phillips is a columnist for Accountancy South Africa and AccountingWeb UK, and has been featured in Sunday Times, Business Day, Enterprise Risk, Succeed and Entrepreneur. He has also appeared as a guest speaker on Radio 702, Kaya FM and Summit TV.

Have your say
Facebook icon
Youtube play icon