If 2017 was largely about coming to terms with the impact of a world undergoing a digital transformation, for all businesses and organisations, the focus in 2018 is around preparedness, action and managing digital risk.
Across the globe, developments in privacy legislation are underway, as detailed by Baker McKenzie’s latest Global Privacy and Information Management Handbook 2018.
Three themes dominated data privacy news this past year. Firstly, there has been a profound transformation of business and organisational activities, processes, competencies and models to fully leverage the changes and opportunities of digital technologies.
Secondly, an increasingly weighty challenge is developing for businesses in terms of managing and protecting the growing amounts and richness of data being collected, used and processed.
Thirdly, there is a heightened increase in global compliance obligations aimed at protecting the rights of individuals impacted by the digital transformation.
The increase in data breaches and cyber-attacks around the world has motivated regulators to play a more active role in the enforcement of data security. For example, in Denmark, the Danish regulator has placed heavy focus on pursuing data breaches. In Australia, mandatory data breach notification is now law. In Hong Kong, the Securities and Futures Commission (SFC) issued new sector-based proposals in May 2017 to reduce and mitigate hacking risks associated with Internet trading.
“In South Africa, the Protection of Personal Information Act, 2013 (POPIA) was enacted in 2013 and is expected to be implemented this year.
Once implemented, it is expected to change the way businesses approach the protection of customer and employee data and how they will have to report on data security breaches.
In terms of POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party will have to notify the Information Regulator, as well as the data subject, unless that person’s identity cannot be established.
“In addition, the revised Cybercrimes and Cybersecurity Bill, currently under consideration by the National Assembly, notes the further obligations of electronic communications service providers and financial institutions when they become aware that their computer systems have involved in a cyber security breach as defined by the Bill,” explains Darryl Bernstein, head of the technology, media and telecommunications Practice at Baker McKenzie in Johannesburg.
“They must, according to the Bill, report such offences to the South African Police Service and preserve any information which may be of assistance in the investigation.”
Globally, there were also some notable trends in terms of employee monitoring in 2017. In Norway, the regulator released a guide for businesses implementing surveillance measures at the workplace. In Germany, the Federal Labour Court held that the use of key logger software to secretly monitor employees violated employee privacy. In Hungary, the regulator issued guidance on data processing in the employment context.
Bernstein notes that, in South Africa, there is currently no provision under POPIA that specifically addresses consent requirements for employees.
However, when implementing an anti-spam filter solution into its operations, an organisation is required to inform employees of monitoring policies being implemented in the workplace. They may be required to give employees the opportunity to opt out from the spam-filtering solution and give the employees the opportunity to review the isolated e-mails designated as spam.
In addition, when implementing an e-discovery system, an organisation is required to obtain the consent of employees if the collection of personal information is involved and advise the employees of the implementation of such system, the monitoring of work tools and the storage of information.
Further, South Africa’s the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) regulates the interception and monitoring of employee communication in the workplace. RICA contains a general prohibition against intentional interception of any communication. Two notable exceptions to the general prohibition are if the employee consented to the interception, or if the interception was done for a general business purpose.
All eyes are also on the European Union’s General Data Protection Regulation, (GDPR), which will apply from 25 May 2018. National legislators around the world have been busy consulting and drafting legislation that will supplement the GDPR. Regulators are issuing guidance on key topics while still coming to terms with their redefined roles. Businesses are seeking to understand the numerous stringent obligations that GDPR will impose on them.
“In South Africa, businesses doing business with the EU will have to ensure they are compliant with the regulations in GDPR that are not covered by their compliance with POPIA. For instance, the GDPR deals with a subject’s right to data portability, which POPIA does not. It also requires data controllers to conduct data protection impact assessments, which is not required under POPIA and the GDPR has much higher penalties for non-compliance.
“Failure to comply with data privacy legislation is now a significant business risk, not just in South Africa, but around the world,” adds Bernstein.