Consumers expect that organisations will respect their privacy. For instance, when you buy something online, you take it for granted that your bank details will be kept secure. Or if you provide your identity number at a store, you trust that this will be kept confidential.
But the reality in South Africa is very different. In 2017, a massive data breach saw tens of millions of South Africans’ personal information leaked. A real estate company using an open web server was responsible. There have been other instances also involving large companies.
There are legislative measures in place to protect people’s data, among them the Protection of Personal Information Act. An Information Regulator has been established with the objective of protecting citizens’ personal data. It is also responsible for monitoring and enforcing organisations’ compliance of all organisations with the requirements of the Act once it comes into effect.
Ultimately, though, organisations remain accountable for implementing measures in line with the Act to protect their customer data. Public and private organisations are legally obliged to implement minimum requirements to protect consumer data when they process it.
But research conducted at the University of South Africa has found there’s a huge disconnect between the privacy that consumers expect and are legally entitled to, and what organisations are doing to meet their obligations.
And a survey we conducted as part of the research found that consumers are becoming increasingly disenchanted with South African organisations when it comes to issues of privacy and data protection.
These issues can be addressed in several ways. Organisations must start complying with the Protection of Personal Information Act. This will bring South Africa in line with more than 120 countries that have already enacted data privacy legislation.
Organisations can also adopt and adapt guidelines issued by Information Regulators elsewhere in the world, and can study best practice from other jurisdictions. It could also help organisations if the Information Regulator in South Africa issued guidelines to implement the Act. It would also be useful to set up ways of holding organisations to account. Consumers need to know where to report companies that don’t protect their data.
Our survey found that consumers’ were very concerned about the protection of their data. As much as 64% of the participants know someone personally whose personal data has been misused. Unwanted marketing was common, suggesting that contact information which was meant to be kept private, had been shared with others.
Of the 1007 people who responded to our survey across South Africa’s nine provinces, 83% were concerned about the protection of their data. About 94% were especially worried about safeguarding their identity; 92% expressed concerns about the security of their financial data, and 80% about their health-related data. These concerns were higher (79%) for online transactions when compared to face-to-face transactions (57%).
Consumers also weren’t sure what to do if their privacy had been violated. Only 37% felt they knew where they have to submit a complaint in a violation.
Overall, the survey suggested that South African consumers weren’t confident that organisations always used their information lawfully and for the agreed purposes. The survey outlined all of the act’s major conditions – and most respondents felt companies weren’t meeting any of these. This, of course, affects consumer trust and confidence.
It has bigger implications, too. If a private or public company is domiciled in South Africa, it must comply with the Protection of Personal Information Act. If it processes the data of citizens in another jurisdiction, like the European Union (EU), it must also comply with the EU’s regulations for the processing of personal information.
But, given that consumers feel that so many South African companies seem not to be complying with local data regulations, it’s unlikely they are operating in line with global data rules such as the EU’s General Data Protection Regulation. This may affect companies’ ability to engage in international trade.
Organisations must take heed of their consumers’ privacy concerns, and ensure the methods they use to process and store data are in line with both the law and customers’ expectations. Compliance plans would be useful as compiled by organisations based on international best practice.
It is also obvious from the survey that consumers don’t know who to complain to when their privacy has been violated. Consumers may also not know what the Act entails and what their rights are as only 44% indicated that they have good knowledge about it. The Information Regulator and other consumer organisations should consider awareness and education campaigns to address these gaps.
Consumers indicated that their preference for receiving more information about their privacy rights are mainly the Internet followed by organisations to whom they give their data, as well as the government and banking institutions.