start with why
POPIA does not explicitly state that a responsible party should adopt and publish a privacy policy. So why the trend to have these on websites? It comes down to the eight rules of engagement (or conditions for lawful processing) with data subjects.2
- That personal information that is collected and the source thereof.
- Name and address of the responsible party.
- The purpose for which the information is collected.
- Whether the personal information is supplied on a compulsory or voluntary basis.
- What will happen if the information is not provided.
- Stating any law that requires that certain information be processed.
- Stating whether the information provided will be shared with a third party or transferred cross border.
- Other information such as the right to have access to their information.4
is it sufficient though to publish the privacy policy on your website?
A similar process can be followed regarding the requirements in Section 18 of POPIA. Obtaining a data subject’s signature on a privacy statement can be helpful in demonstrating compliance with the act. The statement can easily be incorporated in your current processes if the data subject must sign documents anyway in the normal course of business. Then again, a simple e-mail to the data subject with the privacy policy attached can also provide proof that the data subject was made aware of the information. It will depend on your business and what would be regarded as reasonable and practical in your specific circumstances.
can we learn anything from GDPR?
General Data Protection Regulation (GDPR) has been applicable since May 2018 in the European Union and is similar to POPIA. Section 13 of the GDPR makes provision for similar disclosures as POPIA’s Section 18.
A handy template8can be downloaded from https://gdpr.eu/ to act as a starting point in drafting your own privacy policy. This website also indicates that organisations must provide privacy policies to data subjects in writing and electronically, if appropriate9. It further indicates that organisations should publish their privacy policies on their websites where it can be directly accessed from every webpage and specifically on the page where data is collected.
the next step
- Make this policy your own.
#myprivacypolicy. Do not just blindly copy another entity’s policy. See this as an opportunity to express your company culture and earn your customers’ trust. The CISCO Data Privacy Benchmark Study 2020 reports that 74% of respondents experienced improved customer loyalty and trust as a spin-off to investing in compliance with privacy regulation10. If you deal with individuals and entities that really care about their privacy and are willing to take steps to protect their data privacy, you may find that you lose customers due to non-compliance with data privacy legislation. - Speak your data subjects’ language.
Consider your target audience and tailor your statement accordingly. Again, take a leaf from the book of financial services providers who have to apply principles of Treating Customers Fairly (TCF) in all aspects of dealing with clients. The information that you provide must be clear, fair, and appropriate to your target group. So, use plain language and be transparent. - Support from management
The tone is set from the top and it is important that the management structure, be it the board of directors, CEO or MD of an entity express their public support for compliance with the act and the principles it seeks to advance. You may remember the article written by Rici van Schalkwyk from Wauko in April on values and company culture post pandemic. “Everything rises and falls on leadership”.11 Whether the principles in POPIA are embedded in a company’s culture will depend on the leadership.
References:
- William Shakespeare, Romeo and Juliet.
- A data subject is of course those people and businesses who the personal information relates to that you are processing (see Section 1 POPIA).
- A responsible party is a public or private entity or other person that collects and otherwise process personal information (see Section 1 POPIA).
- Please refer to Section 18(1) of POPIA for a detailed description of the information that has to be disclosed.
- Section 18(2) of POPIA.
- Board Notice 80 of 2003 as amended
- Section 3(1)(c), Section 4(1) and Section 5 of the General Code of Conduct.
- https://gdpr.eu/privacy-notice/
- https://gdpr.eu/privacy-notice/
- https://www.cisco.com/c/dam/global/en_uk/products/collateral/security/2020-data-privacy-cybersecurity-series-jan-2020.pdf
- John C Maxwell
0 Comments