Data Compliance & Legislation

Data compliance regulations compel companies to improve their data security standards and practices, to prevent breaches from occurring and their customers’ sensitive data from being exposed, stolen, or corrupted. 

Covered in this article

What Is Data Compliance?
The Importance Of Being Data Compliant
Key Data Compliance Regulations You Should Know

What Is Data Compliance?

Data compliance is a process that identifies the applicable governance for data protection, security, storage and other activities and establishes policies, procedures and protocols ensuring data are fully protected from unauthorised access and use, malware and other cybersecurity threats.

By complying with regulations, organisations ensure their sensitive data won’t be compromised, and confirm the necessary precautions have been taken to keep their customer’s data safe. One of the biggest and most significant consequences of not being compliant and obeying legislation is the impact it has on customer trust and loyalty.

According to a Varonis analysis of companies’ reputations after a data breach, 80% of consumers will defect from a business that has compromised their data, and 52% of consumers would pay the same for products or services from a different brand with better security.

When an organisation takes the proper steps to be data compliant, they not only better protect their data but also appear more trustworthy and credible to their customers. Their customers can rest easy, knowing that their data is being protected, and won’t fall into the wrong hands.

The Importance Of Being Data Compliant

Public and private sector organisations have a fiduciary responsibility to protect the information they use to manage their businesses. The availability of relevant standards, regulations and other governance rules and practices that deal with the security, privacy and protection of data ensures that data can be securely managed and protected.

Compliance with data standards, regulations, and other governance rules and practices help ensure that the confidentiality, integrity and availability of an organisation's data, databases and other relevant information are protected. Unauthorised access to mission-critical data could result in damage to the organisation's reputation, loss of revenue and loss of business. However, compliance can be achieved with the help of dozens of available resources, like security technologies, antivirus software and anti-ransomware software to protect all forms of data.

Key Data Compliance Regulations You Should Know

Data privacy is far more than just the security and protection of personal data. It all boils down to how organisations are using that personal data. Organisations need to process personal data in an ethical and legal manner. That could mean not bombarding customers with unwanted SMS marketing messages but it could also mean simply not sharing personal information with third parties without the customer’s consent.

It doesn’t mean that marketing is now forbidden under data privacy laws but it does mean that organisations need to be transparent about what personal data they are capturing and how it’s going to be used. Many organisations recognise the significant risks of cyber-attacks and data breaches but fail to understand what else is required to safeguard what is referred to as the “rights and freedoms of individuals”.

General Data Protection Regulation (GDPR)

The GDPR protects the personally identifiable information of customers and employees. That is a broad category that can include anything that might identify a person, like:

• Names
• Biometric data like fingerprints and facial recognition
• Identification numbers like passport numbers, tax identifiers, and national identification numbers
• IP addresses
• Locations
• Telephone numbers

Punishment for non-compliance with the GDPR is a tiered system of fines. Severe or flagrant violations can lead to fines of up to 4% of the company’s global annual turnover or 20 million Euros — and you’ll have to pay the greater amount.

Promotion of Access to Information Act (PAIA)

This Act gives effect to the Constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights (as per Section 32 of the Constitution of the Republic of South Africa 1996). In addition the Act provides that the Information Regulator (established in terms of the Protection of Personal Information Act, 2013) must exercise certain powers and perform certain duties and functions in terms of this Act. The overall purpose is to: 

• Foster a culture of transparency and accountability in public and private bodies giving effect to the right if access to information and
• Actively promote a society in which the people of South Africa have effective access to information to enable them to more fully exercise and protect all of their rights. 

Protection Of Personal Information Act (POPIA)

The POPI Act is an all-inclusive piece of legislation that safeguards the integrity and sensitivity of private information. The Act recognises the:

• Constitutional right to privacy
• The right to protection against unlawful collection, retention, dissemination and use of personal information and
• That the State must respect, protect, promote and fulfill the rights in the Bill of Rights.

Companies are required to carefully manage the data capture and storage process of Personal Information within the lawful framework as set out in the Act.

One of the key aspects of any privacy law, and POPIA in particular, is that it describes the conditions for lawful processing. In other words, the conditions that need to be met if you are to manage personal information correctly. Meeting these conditions are mandatory if the organisation is seeking compliance with POPIA. 

These conditions are:

1. Accountability: The responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions are complied with at the time of determining the purpose and means of the processing.
2. Processing Limitations: Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
3. Purpose Specific: Personal information may only be processed for specific, explicitly defined and legitimate reasons.
4. Further Processing Limitations: Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
5. Information Quality: The responsible party must take reasonable steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary.
6. Openness: The data subject whose information you are collecting must be aware that you are collecting such personal information and for what purpose the information will be used.
7. Security Safeguards: Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction and disclosure.
8. Data Subject Participation: Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them.

POPIA Offenses, Penalties, and Fines

Sections 100 – 106 of the POPI Act deal with instances where parties would find themselves “guilty of an offence”. The most relevant of these are:

• Any person who hinders obstructs or unlawfully influences the Regulator;
• A responsible party which fails to comply with an enforcement notice;
• Offences by witnesses, for example, lying under oath or failing to attend hearings;
• Unlawful Acts by the responsible party in connection with account numbers;
• Unlawful Acts by third parties in connection with the account number.

Section 107 of the Act details which penalties apply to respective offences.

For the more serious offences, the maximum penalties are a R10 million fine or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment. 

For the less serious offences, for example, hindering an official in the execution of a search and seizure warrant, the maximum penalty would be a fine or imprisonment for a period not exceeding 12 months, or both a fine and such imprisonment.

Besides fines and penalties, non-compliance with POPIA can have other serious consequences for organisations, their employees and customers, including reputational risk, loss of revenue due to negative press, loss of customer trust, disciplinary actions and dismissals of employees. Accountants and Auditors also need to consider the effects of POPIA, including:

• Accounting for provisions / contingent liabilities in terms of possible lawsuits, fines and penalties
• Considering whether the entity has a Reportable Irregularity (for reporting to IRBA or CIPC) and 
• The effect on the entity's solvency and going concern. 

If your organisation is GDPR compliant, you are likely to be POPIA compliant as well - but you need the formal documentation (policies and procedures) as required by POPIA to demonstrate compliance. 

International Regulations

Data privacy is also becoming a priority in international markets. China and the United Arab Emirates all passed privacy legislation in 2021, and it’s likely that other countries will follow suit. The U.S. and EU have agreed to a preliminary deal that spells out how American companies can store the personal data of Europeans.

Worldwide, governments are trending toward stiffer compliance standards for consumer data privacy protection. If your product or operations have weak points that might expose sensitive data, now is the time to shore those up.

It is wise to seek legal advice when dealing with such a variety of laws and regulations.