To ensure that digital services are consistent with the new data protection laws, business technology leaders doing business in Africa need to be aware of existing legislation.
According to Privacy International, most African nations, including some of the biggest sub-Saharan markets, have adopted some form of regulation with the objective of protecting personal data.
To a large extent, the impetus around data protection in the region has been propelled by the pioneering GDPR legislation of the European Union.
GDPR was introduced in 2016 and since then it has provided a superb structure and an effective model for the legislation of many countries worldwide.
Many technology leaders have been hoping for some form of cooperation between African Union countries on data protection legislation.
Likewise, the apparent indifference of local populations to the problem seems to be one of the recurrent stumbling blocks.
Moreover, research has indicated that many people don’t even really care about data security too much and do not recognize their right to privacy.
Because people are so hungry for internet connectivity, they are able to go along with it.
Even when it eventually arrives and addresses the issues of data protection at a later stage.
“Unfortunately in many cases we are dealing with asymmetric data scenarios where the individual may be ‘obliged’ to divulge data ‘voluntarily’ in order to receive assistance or tangible benefits. Without being able to assess the value of what they are divulging, or being able to bargain for fair value,” said Joseph Atick, executive director of ID4Africa, a non-profit organization dedicated to the fair value of what they reveal.
Public pressure may be a potential accelerator to speed up the implementation of legislation.
But without a big cybersecurity threat that helps to show just how insecure the data of most people really is, it seems unlikely to happen.
“Generally speaking there is still no broad awareness of the value of data by the general public in Africa. And hence the question of privacy and data protection and associated regulations appears to be a secondary priority for the population at this stage of development of digital societies,” Atick said.
“This will change as the data economy emerges in Africa, as it did in the rest of the world. More-also, the value of data gets established within a market economy guided by robust data governance frameworks.”
While African nations are far from moving towards data protection laws in lockstep, there are several common principles that form the basis of legislation passed in Africa;
Organizations collecting data ought to make it clear that they are doing so and justify why they are doing so. They can only gather information for as long as it is required to complete the aforementioned objective.
In the case of a breach, they should strive to reduce or restrict the amount of data they need to obtain as a way to safeguard people.
Inaccurate or missing information should be discarded as soon as possible. Data should be removed for a given reason until it is no longer required.
These fundamental elements form the basis of most new legislation in the field of data security.
Four African economies are taking measures to build laws that suit the moment in the digital economy.
However, progress in Nigeria over the last 18 months has been quite volatile.
Nevertheless, progress has been made in implementing a comprehensive system for data protection regulation.
“A code of practice that ensures the privacy and protection of personal data without unduly undermining the legitimate interests of commercial organizations and government security agencies to collect such data.”
Data security is a key component of the National Information Technology Development Agency’s Digital Economic Policy and Strategy (NITDA).
Also read: How can Africa monetise big data?
For some time, Kenya has been at the forefront of African technology and innovation.
So it’s shocking that in November 2019, the country only passed its Data Security Regulations.
There are four different elements to the Act, which provide a detailed overview:
- The formation of the Data Protection Commissioner’s Office
- The oversight of personal data collection
- Provision for the interests of subjects of the data
- Establishment of data controllers’ and processors’ responsibilities.
Offence will result in up to five million Kenyan shillings, prison time and fines.
But progress has been slow following the passage of the act.
For instance, the new Data Protection Commissioner, Immaculate Kassait, took another 12 months to be sworn into the role.
On July 1, 2020, the long-awaited Security of Personal Information Act (PoPIA) of South Africa was finally signed into law.
A grace period of twelve months has been allowed to give businesses time to comply, and liability falls into effect from 1 July 2021.
When gathering, sorting, storing and exchanging personal information.
Basically, the purpose of the Act is to compel all public and private bodies to follow strict guidelines.
In that sense, since it is limited to information that is processed within the boundaries of South Africa.
It goes further than the GDPR, while the GDPR offers a blanket cover for all European citizens, no matter where the information is collected on earth.
In cybersecurity legislation, Ghana has been way ahead of other African countries, creating the Data Protection Act in 2012.
“To protect the privacy of the individual and personal data by regulating the processing of personal information.”
The Data Protection Commission introduced new technological tools in October 2020 that streamline the process of registration and renewal and improve the user experience.
It also announced a six-month amnesty period which runs until March 2021.
“During which any applicable arrears will be waived allowing defaulting Data Controllers to register with the Commission and pay the current year’s fee due only.”
What the data laws of Africa mean for business.
But, among other nations, South Africa and Nigeria demonstrates that even nations that are moving ahead of their regional peers in Africa can use the GDPR.
And the data protection convention of the AU as a basis for mapping their path.
As such, when rolling out digital services on the continent, business IT leaders would do well to focus on the fundamental principles of the GDPR.
Most especially in countries that have not yet enacted their own unique regulations.
“We’re fast getting to a world in which each organization has to comply with the data protection laws of many countries.”
We are rapidly getting to a world in which each organization has to comply with the data protection laws of many countries.
While many African countries are on a slow road towards enforcing data protection laws, there is an overall steady progress towards a common set of principles underlying such laws.
Data knows no boundaries and neither do data protection laws,” said John Giles, the managing attorney at Michalsons, a South African law firm.
Fortunately, data protection policies are very common around the world and we really have a set of global rules.
As different cultures value privacy differently, there will always be some local variations.
Yet about 80 percent will still be the same.
Source: CIO via TechGist Africa