Data Regulation: How to Implement Technological Solutions

Data is an exceptionally valuable resource – some even refer to data as the modern version of oil. Protecting this asset should be a central business concern, it should not – as is often the case – be considered an information technology or legal issue.

The Protection of Personal Information Act 4 of 2013 (‘POPIA’) and the Promotion of Access to Information Act 2 of 2000 (PAIA) have meant that many South African businesses have considered technological solutions in their quest to ensure compliance with data processing and access laws, and to manage data in general.

What key considerations should a business take when implementing technological solutions for data regulation?  The list below is flexible, and by no means a closed list, but some key points to consider:

  • What is the business trying to achieve? This sounds like an obvious question, but to avoid a “tech for tech’s sake” approach, give careful thought to the exact purpose of the solution. Is it to facilitate POPIA compliance?  PAIA compliance?  Does the GDPR apply to the processing activities of the business?
  • How will the solution be implemented in the specific business? Will it replace or compliment an existing compliance framework?  How will the solution aid a business imperative or a legal obligation?
  • Consult with relevant stakeholders in the business with a view to developing a comprehensive plan. Each business will differ, but from board to tech to legal – consider the “what” and the “how” set out above and ensure everyone is pulling in the same direction. Ensure that the solution proposed is going to a) solve the problem, and b) be capable of delivery from a technological perspective (e.g.: is mobile required?  Do you have iOS and Android functionality? How will it fit into the existing IT environment?). Avoid an approach where business critical decisions are taken in silos.  To be sure, you can’t please everyone, and not everyone will agree – but consult widely and gather all the relevant information.
  • Develop an implementation plan. Use the information collected from the first three steps to develop a comprehensive plan that should address the “what” and the “how”, and detail how the proposed solution addresses this in the context of the business concerned.  In addition, consider the risks, the costs, and the resources required.  Set out how the solution will assist the business or increase turnover or reduce costs etc.
  • Critically evaluate the software. What will it assist in achieving?  Are the claims made by the platform objectively verifiable?  How is the user experience?  What are the license terms? Critically, as part of your evaluation, with the greatest of respect, be sure that you are not taking legal advice from someone not qualified to give you that advice. For example, if the “what” and the “how” relate to POPIA compliance, consider, independently, the obligations imposed by POPIA and its Regulations, or seek professional advice on those issues. POPIA and its regulations provide that a responsible party (the term applicable to a person who processes personal information) must, amongst other things, perform a risk assessment and develop, implement, monitor, and maintain a compliance framework.  In addition, responsible parties should conduct training and develop measures and systems to deal with data subject requests.  Above all, responsible parties must ensure that they are complying with the 8 conditions for lawful processing set out in the Act.  Consider the following: does the application achieve compliance in one or more of these aspects?  What manual intervention will be required?
  • Implementation. What is required to get the solution off the ground?  What user training is required?
  • Post-implementation. What support is needed?  How often will the tech be reviewed?  Tech is never static – the law changes rapidly too.  Create an internal champion (if not already in place) and drive regular reviews of how the project is actually working, and what changes in future may be required.

Can one use a software application to solve all of your compliance problems?  Probably not.  Depending on the problem and use-case, the right application can certainly go a long way to assisting with compliance, but using POPIA as an example, usually, a risk assessment and training will need additional human input and classifying and inserting data remains a thorny issue.  Although I obviously cannot say I have reviewed every software package available, it is likely that each application will have its own pros and cons and will likely need to be supplemented in some way.  Accordingly, it is key to have a firm grasp on what legal requirements you are seeking to satisfy by using tech, and then evaluate how it is being achieved.  Tech has come a long way over the past two decades.  Those who started practice in and around the turn of the century will have experienced tech as a fax machine and a clunky practice management system that was slow and counter-intuitive; this has changed but look at things carefully before deciding you are “fully compliant”.

Also: remember, as at end October 2022, the Information Regulator has not endorsed any specific application, and one will not be able to defend a claim from the Regulator or a data subject with “the software told me it was compliant with POPIA”.

Finally, I look forward to unpacking this topic at the Tech Fest on 8 November 2022 in Sandton, where I will look at this in light of the steps required to achieve data protection compliance, and to briefly review issues such as the role of the Information Regulator, cross-border data flows, and South Africa’s regulatory regime in comparison to the EU and the UK.

About the Author

Dr Lee Swales – Attorney and Law Lecturer, Livingston Leandy Incorporated

Lee is a senior commercial attorney and law lecturer. He focuses on technology related legal issues, commercial agreements, data protection, and regulatory compliance. Lee primarily advises clients on a wide range of commercial and corporate matters as well as data protection compliance, information and cyber security, crypto-currency regulation, software agreements, and intellectual property related issues. Lee is passionate about technology’s intersection with the law, and the future of digital assets in the Web3 environment.

Please fill out the form to view the Conference Agenda pdf

Community Snapshot

Complete the fields below in order to access our community snapshots.

This field is for validation purposes and should be left unchanged.

Community Snapshot

Complete the fields below in order to access our community snapshots.

This field is for validation purposes and should be left unchanged.

Find out more about Planner’s School

Find out more about Planner’s School