Privacy and Personal Information – GDPR and POPIA
The European Union recently passed a new set of laws that govern the protection of personal information. These are called GDPR (General Data Protection Regulation), and for our purposes, they govern the way the data of European citizens must be handled, by anyone who deals with European citizens.
The law also states that if you have the personal data of European citizens, you may not use or share that data with any company (European or otherwise), unless they are also fully GDPR compliant. This means any company that deals with European companies (in such a way that any of their customers’ personal data is shared) must also be GDPR compliant, or lose their European market. As soon as they become GDPR compliant, their partners must also become GDPR compliant, and so on. The practical effect of this law has had wide reaching consequences for most medium and large companies in the world, and shown clearly just how important the EU is economically in the world market.
At the same time, the South African government has introduced the POPI Act (Protection of Personal Information act). The act is very similar to the European version, with only minor differences. Most companies find it pretty easy to comply with both regulations at the same time. POPIA applies to all South African citizens, and affects all companies that handle the data of those citizens, etc.
Disclaimer: I am not a lawyer, and this post is written mostly from memory. It is not intended as a primary source for information. It is intended to let you know about things you need to be aware of, to let you know what you don’t know. If there is anything in this post that you feel might affect you. you should research the facts yourself. That probably applies to all blog posts.
What does GDPR require of you?
We’ve seen that GDPR and POPIA (if you’re South African) will probably affect you, but does that mean for you and your systems? Well:
- You must get the explicit permission of the person before you collect and store any personal or personally identifying data. If you collect a name, ID or Social Security number, age, size or even anonymous ui preferences in a cookie, you must seek the permission of the person first. This is why all those European websites have started adding those irritating “we use cookies” notices we all ignore.
- You must know exactly what data you are collecting, and what you intend to use it for. This information must be shared with the person when you seek their permission. You may not use personal data for any purpose other than that for which you sought permission.
- Selling data to a third party is the same as using it yourself:
- You may only sell the data to a GDPR compliant company.
- They must tell you exactly what they intend to use the data for.
- You must get clear and transparent permission from the person for that use when you collect the data.
- All the data you collect must be stored securely. All new IT systems you create, and any existing you upgrade, must be designed with data security as a first principle. The data must be encrypted, and access to the data must be strictly controlled. Give access to as few people as possible, strictly on a need-to-know basis.
- Your company must maintain a data breach registry. It must report every breach to the GDPR, and to each individual whose data has been compromised, pretty much immediately (within 72 hours).
- You may only store data while you need it. As soon as you no longer need any personal data, it must be deleted.
- Every person has the right to be forgotten; if any person for whom you have data contacts you to say they want to be removed from your system, you must comply immediately
- You must provide a mechanism for the person to make this request. You cannot hide it behind multiple steps of red tape (“Sure we can remove your data. Please just fill in these forms, and send us a certified copy of your id, and we’ll get right on it”). As soon as your company becomes aware that a person wishes to be forgotten, you must remove all their data.
- You may maintain a list of identifiers of persons who have requested to be forgotten, but only to ensure they are not re-added to your system.
That’s pretty much the core concepts. There is more to it, and if your company does choose to become GDPR compliant, they will make sure you know all about it (that’s another one of the GDPR compliance requirements), but even if not, these are pretty good rules of thumb for handling the personal information of your users anyway.