The Convention on Cyber Security and Data Protection of the African Union (known as the Malabo Convention) outlines principles which urge all AU Member States to respect and protect the privacy rights of individuals online and offline
Multiple Member States have already ratified the Malabo Convention or introduced data protection laws, and South Africa has become the latest African country to legislate on the protection of personal information, with the South African Personal Information Protection Act (POPIA) coming into force on 1 July 2020.
South African organisations must now move along with countries including Kenya, Botswana, and Nigeria to comply with new regulations to protect the identification and personal information they collect, store, and manage.
As pan-African trade picks up, and as African countries seek to boost exports internationally, global best practices in the protection of personal information will become ever more important.
However, it can be a daunting task for any organisation to comply with pan-African and global data privacy, security laws and regulations, particularly since requirements, are often vague and ambiguous, with little specific guidance as to how compliance can be achieved. Only 34 per cent of South African organisations are reportedly ready to comply with POPIA in a 2019 survey carried out by Sophos.
Start with a business privacy impact assessment
Condition seven of the POPIA Act of South Africa (Security Safeguards) requires organisations to take ‘appropriate and reasonable measures’ to safeguard personal data. The concept of ‘reasonably’ acting is used throughout the world in many privacy laws and requires a business to do what is appropriate to protect its data.
Prioritise your high-risk processes
Processes which are at high risk should always come first. Start with personal data of the client/customer and work towards personal data of the employees. This will involve collaboration with many departments, so executive buy-in is a must; and privacy compliance should be pitched as business enablement.
Drive an awareness campaign
Employees need to be informed about and trained in the organisation’s security requirements, as well as learn about the basic principles of privacy and best practices, and how to apply them at work. Employee security awareness training is one of the most effective means of reducing the potential for costly errors in the handling of sensitive information and in the protection of company information systems.