what’s in a privacy policy?

by Marianne Mokken | July 1, 2021

Over the past few months in the run up to the deadline for compliance with the Protection of Personal Information Act (POPIA) on 1 July 2021, we have seen privacy policies pop up on various websites. Some call it a privacy policy, others call it a privacy statement or a privacy notice. What’s in a name? That which we call a rose by any other name would smell as sweet.1 Irrespective of what you want to call it, some may ask why businesses have a statement on their website. And those who are trying to wade through this on their own may ask if they also need one.

start with why

POPIA does not explicitly state that a responsible party should adopt and publish a privacy policy. So why the trend to have these on websites? It comes down to the eight rules of engagement (or conditions for lawful processing) with data subjects.2

The rules of engagement are set out in Chapter 3 of POPIA and Condition 6 requires openness. Openness or transparency in terms of Section 18 of POPIA requires a responsible party to take reasonably practicable steps to ensure that a data subject is made aware of certain information. Briefly, the required information is as follows:
  • That personal information that is collected and the source thereof.
  • Name and address of the responsible party.
  • The purpose for which the information is collected.
  • Whether the personal information is supplied on a compulsory or voluntary basis.
  • What will happen if the information is not provided.
  • Stating any law that requires that certain information be processed.
  • Stating whether the information provided will be shared with a third party or transferred cross border.
  • Other information such as the right to have access to their information.4
These reasonably practicable steps must be taken before the information is collected or as soon as reasonably practicable after it has been collected.5 Then Subsection four sets out various circumstances where you do not have to make the disclosures in terms of Section 18(1). Although also important to take note of, I am not going to discuss those exclusions in detail here.

is it sufficient though to publish the privacy policy on your website?

I would suggest taking a leaf from the financial services industry’s book here. They have been at compliance with various legislation for several years now after all. The wording of Section 18(2) reminds me of the General Code of Conduct for Authorised Financial Services Providers and Representatives (General Code of Conduct)6. The General Code of Conduct uses the term “at the earliest reasonable opportunity7” and even though the Code explicitly requires that the information should be in writing or confirmed in writing, I still believe this provides some guidance at least. The practice in the financial services industry has therefore been to disclose the information required by the General Code of Conduct in a disclosure letter and/or a record of advice which the client must sign as an indication that the documents were read and understood. The signed documents then act as a tool to demonstrate compliance with the General Code of Conduct.

A similar process can be followed regarding the requirements in Section 18 of POPIA. Obtaining a data subject’s signature on a privacy statement can be helpful in demonstrating compliance with the act. The statement can easily be incorporated in your current processes if the data subject must sign documents anyway in the normal course of business. Then again, a simple e-mail to the data subject with the privacy policy attached can also provide proof that the data subject was made aware of the information. It will depend on your business and what would be regarded as reasonable and practical in your specific circumstances.

can we learn anything from GDPR?

General Data Protection Regulation (GDPR) has been applicable since May 2018 in the European Union and is similar to POPIA. Section 13 of the GDPR makes provision for similar disclosures as POPIA’s Section 18.

A handy template8can be downloaded from https://gdpr.eu/ to act as a starting point in drafting your own privacy policy. This website also indicates that organisations must provide privacy policies to data subjects in writing and electronically, if appropriate9. It further indicates that organisations should publish their privacy policies on their websites where it can be directly accessed from every webpage and specifically on the page where data is collected.

the next step

Whether you decide to use a template and have a go at it yourself, or whether this task seems too daunting, and you make use of professional help, keep the following in mind:
  1. Make this policy your own.
    #myprivacypolicy. Do not just blindly copy another entity’s policy. See this as an opportunity to express your company culture and earn your customers’ trust. The CISCO Data Privacy Benchmark Study 2020 reports that 74% of respondents experienced improved customer loyalty and trust as a spin-off to investing in compliance with privacy regulation10. If you deal with individuals and entities that really care about their privacy and are willing to take steps to protect their data privacy, you may find that you lose customers due to non-compliance with data privacy legislation.
  2. Speak your data subjects’ language.
    Consider your target audience and tailor your statement accordingly. Again, take a leaf from the book of financial services providers who have to apply principles of Treating Customers Fairly (TCF) in all aspects of dealing with clients. The information that you provide must be clear, fair, and appropriate to your target group. So, use plain language and be transparent.
  3. Support from management
    The tone is set from the top and it is important that the management structure, be it the board of directors, CEO or MD of an entity express their public support for compliance with the act and the principles it seeks to advance. You may remember the article written by Rici van Schalkwyk from Wauko in April on values and company culture post pandemic. “Everything rises and falls on leadership”.11 Whether the principles in POPIA are embedded in a company’s culture will depend on the leadership.
Personally, I’m looking forward to more guidance from the Regulator regarding this and other matters as we embark on this exciting journey.
As you embark on your journey, we would love to connect with you and share insights.

References:

  1. William Shakespeare, Romeo and Juliet.
  2. A data subject is of course those people and businesses who the personal information relates to that you are processing (see Section 1 POPIA).
  3. A responsible party is a public or private entity or other person that collects and otherwise process personal information (see Section 1 POPIA).
  4. Please refer to Section 18(1) of POPIA for a detailed description of the information that has to be disclosed.
  5. Section 18(2) of POPIA.
  6. Board Notice 80 of 2003 as amended
  7. Section 3(1)(c), Section 4(1) and Section 5 of the General Code of Conduct.
  8. https://gdpr.eu/privacy-notice/
  9. https://gdpr.eu/privacy-notice/
  10. https://www.cisco.com/c/dam/global/en_uk/products/collateral/security/2020-data-privacy-cybersecurity-series-jan-2020.pdf
  11. John C Maxwell

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *