African countries are lagging in enacting data protection laws, leaving citizens vulnerable to cyber attacks.

That was the word from Susi du Preez, an independent security expert, speaking yesterday during the ITWeb Security Summit 2020, which was hosted virtually.

Comparing the pros and cons of data protection and privacy legislation and the need for a global response, Du Preez said out of the 54 countries on the African continent, only 17 have data protection laws in place.

“There are 17 countries in Africa that have enacted comprehensive personal data protection legislation, namely: Angola, Benin, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa, Tunisia and Western Sahara,” she said.

SA’s data protection law – the Protection of Personal Information (POPI) Act – came into effect on 1 July 2020. However, local companies have been given a one-year grace period to comply with the law.

The purpose of the law is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information, by holding them accountable should they abuse or compromise personal information in any way.

Businesses that don't comply with the POPI Act, regardless of whether it’s intentional or accidental, can face severe penalties.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

Du Preez added that the African Union (AU) adopted the AU Convention of Cyber Security and Data Protection in June 2014.

According to Du Preez, privacy laws refer to laws that deal with the regulation of storing and using personal identifiable information (PII).

She said PII includes any data that could potentially be used to identify a particular person. These include full name, ID number, social security number, address, driver’s licence number, bank account numbers, passport number or even an e-mail address.

PII can be used against users, she noted. “Once a hacker or criminal has harvested the information, they can use it in various social engineering attacks.”

An important example to mention is when hackers conduct “psychological profiling” using the PII, Du Preez said.

“Psychological profiling is inferring people’s psychological profiles from their tweets, ‘likes’ and purchases. The data is bundled together and used to create a profile of the individual. At first it looks harmless, as it is used for beneficial purposes such as providing recommendations on Netflix, etc.

“Not until the past decade have governments become aware of how profiling can be weaponised and used maliciously.”

The Cambridge Analytica scandal provided a great example of how organisations are building profiles of individuals and targeting them with specific advertisements to influence elections, she noted.

“Weaponised profiling is interfering with elections on a global scale. Some notable countries are the United States, Brazil and the United Kingdom,” she said.

However, she stressed that every country is prone to weaponised profiling.

She added that privacy laws regulate the way individuals’ personal information is handled. “It allows you to know why your personal information is being collected, how it will be used and who it will be disclosed to.

“The laws allow you the option to not identify yourself, or to allow your information to be used in certain instances. They keep you safe from psychological profiling and safeguard confidentiality of personal identifiable records.”