Now that EU laws to keep our information safe have come into force, more power has been put in the consumer’s hands. However, whether this is relevant to users in SA is still a grey area, writes Angelique Ruzicka
Companies hold a lot of information about us on their databases. Facebook and Google know where we live. Insurance companies like Discovery Insure know where and how fast we travel, and devices like Fitbit share our health and wellness information with our medical aid providers.
Companies have mostly obtained this information legally and with our consent. We’ve given our consent through actions like ticking a box on a form agreeing to being contacted, subscribing to emails and memberships, agreeing that details are shared on loyalty and rewards card contracts or by filling in a survey, which then asks if we’re open to getting more marketing information from the company or service. That information has even been sold on to third parties in certain instances.
But how that information is stored and what happens with it is finally being regulated. In the EU, the General Data Protection Regulation (GDPR) came into force on May 25. Although the laws aren’t enforceable on our shores, scores of South African consumers have been badgered by a raft of emails asking whether they still want to belong to databases or receive emails. But what does it all mean?
DO SOUTH AFRICANS BENEFIT?
Companies that are based in Europe and which may have obtained your information while you were on the continent either to work or to have a holiday certainly have to comply with the new regulations.
Unfortunately, the GDPR doesn’t apply to companies operating in South Africa, but they may want to contact you so that they can legally cover themselves if they use your information.
ARE WE PROTECTED AT ALL?
When it comes to privacy and data laws, South Africa has its own set of rules in the pipeline known as the Protection of Personal Information (Popi) Act. However, it hasn’t been promulgated yet, so it’s not enforceable, but it’s set to be just as powerful as the GDPR, and most companies are getting ready for its implementation.
Alison Treadaway, a digital communications specialist at Striata, points out that, while companies that breach the GDPR could get fined, those contravening the Popi act could be criminally prosecuted.
“People won’t just get away with fines, they could also go to jail,” she says.
Keeran Madhav, director of forensics at Mazars, says: “Once the Popi act is fully promulgated, organisations will probably have 12 months in which to comply. I’ve been to a number of seminars and they are adamant that it will happen soon.”
WHAT IS THE GDPR?
The GDPR boasts some non-negotiable points about what happens to a consumer’s data, and it gives some power back to customers about what can be done with that information. Fines for noncompliance are hefty.
“Companies that have breached the GDPR are liable to a maximum fine of €20 million (R289 million) or 4% of annual turnover. This is the reason many companies – local and international – are sending out emails. They don’t want to leave a stone unturned,” says Madhav.
Here are some ways in which the GDPR helps the EU consumer or any customer who is receiving a product or service from a company that is part of the EU:
INFORMATION ABOUT DATA BREACHES: EU consumers will have the right to know if there’s been a data breach that affects their personal information as news of this nature can no longer be swept under the carpet. Under the laws, both the regulator and affected individuals have to be notified within 72 hours.
THE ‘RIGHT TO BE FORGOTTEN’: EU citizens have the “right to be forgotten”, which means organisations must delete their personal information from all data stores when they no longer need it or at the request of an individual. However, if there are grounds to hold on to the information (legal or regulatory), companies may keep the data, but must say why they are doing this.
FULL DISCLOSURE: Customers are allowed to ask companies about the information they have about them and ask to see it as part of what’s called a data subject access request. Companies must provide the information within 30 days.
CUSTOMERS CAN ASK FOR ACCURACY: Information stored about customers must be accurate and up to date. If it’s not, they can ask companies to correct the data under the GDPR.
CUSTOMERS CAN ASK NOT TO BE PROFILED: Many companies profile their customers. Insurers, for example, say that drivers who are younger than 25 are more likely to be involved in a car accident than drivers who are older, so they pose a greater risk. But customers can request that their profile is not categorised as such and instead reviewed on its own merit.
A CHANCE FOR A CLEAR-OUT
GDPR compliance emails may be a nuisance, but this gives you the opportunity to find out what information a company has about you.
“The GDPR law is a good thing as it’s shone a spotlight on data privacy. It’s an opportunity for South Africans to declutter. You have a chance to actively say no to stuff that you don’t want to receive or don’t respond to, and you should get struck off the list,” says Treadaway.
How to protect your own information
Before the Popi act comes into effect, it’s up to you to take care of your personal information. Here’s how you can do it:
- Be careful when handing out information online.
- Be active in managing your own information.
“Your Gmail inbox shields you by filtering the junk mail, but those people and companies are still using your information and could be sharing it. Find out why you receive these emails or unsubscribe from them,” says Treadaway.
- Check your privacy settings on all social-media networks and change your passwords.
- Protect your email address. Treadaway recommends checking your email address on haveibeenpwned.com. The site allows you to search across multiple data breaches to see if your email has been compromised.
“If you find your email address on that site, you have to change your login and passwords,” says Treadaway.
- Don’t click on links from people you don’t know or in emails you weren’t expecting.