It takes time to instill a data compliance culture
On 28 January, the data privacy communities around the world celebrate Data Protection Day. It is an international effort to create awareness about the importance of respecting data privacy, safeguarding data and enabling trust. The objective of this day is to sensitise individuals and disseminate privacy practices and principles.
What is personal data?
Personal data is any information which relates to a living individual. It can be the most obvious ones such as name, residential address, telephone number, but also the less obvious ones which are facial images, fingerprints, location data, sexual orientation, IP addresses to name but a few. To put it simply, any information from which the identity of a person can be revealed will amount to personal data. The Data Protection Act 2017 (DPA) is the main legislation in Mauritius which governs personal data.
Why should there be a law to protect our personal data?
Just as there are laws which protect someone’s property against theft or trespasses, likewise, data protection laws protect an individual’s personal data by ensuring that they are not collected, used, stored or deleted without the individual’s knowledge or consent. By way of example, a person’s photo or fingerprint cannot be taken without his consent; a supermarket cannot use the residential address, phone number or email address of a person to send marketing materials by post, sms, WhatsApp, or email if the person has not consented to receiving such marketing materials; an individual cannot be forced to give his health data (such as whether or not he has been vaccinated against Covid-19) unless he is explained the legal basis, purpose, and relevance of collecting such data and he is informed of any possible disclosure of such data to third parties, as well as the security measures which are in place to protect the data from any leakage or tampering.
Who should be concerned with data protection?
If you are a living individual, then you are a data subject and thus, the DPA applies to you. If you are an employer, then you should also be concerned about the protection of your employees’ data. As an entrepreneur, the protection of your clients’ data or that of your service providers, directors or shareholders should be high on your agenda. Any data breach, i.e. any accidental loss, erasure or unlawful disclosure amount to a breach of the DPA, which is a criminal offence, punishable by a fine and a term of imprisonment. But most importantly, it will result in reputational damage which is often irreparable.
“Data protection” has been the buzzword for the last 3 years or so. Why is that?
There are two reasons for that. The first one is that since 15 January 2018, we have a new local legislation on data protection, which is the DPA. The second reason is that since 25 May 2018, the EU General Data Protection Regulation (the “GDPR”) came into effect. Thus, both nationally and internationally, changes have been brought to the regulatory landscape of data protection to give enhanced rights to data subjects and to impose new obligations on data controllers.
Our local DPA is highly inspired from the GDPR which sets new international standards for data protection. It is to be noted that as the EU is the main business partner of Mauritius, it was important and pressing for Mauritius to be regarded as having adequate laws on data protection which would give sufficient protection to an individual’s personal data. This was the only way Mauritius could ensure that the EU would continue to transfer personal data of its people to Mauritius, thus allowing the BPO sector (which processes, to a large extent, data for payroll or other human capital functions) and the hospitality sector to continue to thrive.
Why is compliance with data protection laws challenging?
Compliance with data protection laws is challenging because the DPA is quite a technical piece of legislation; thus, requiring legal assistance to interpret and apply. Furthermore, it takes time to change one’s mindset and instill a data compliance culture. For instance, people still find it alright to click a photo and post on social media without having obtained the consent of all those in the photo. Worse, they find it fine to post the photos of their children on social media, just because they can consent for them, however forgetting that in a few years’ time, their children will have a right to object that these photos stay on the online platform. Most of us are still receiving unsolicited marketing emails, without complaining. We still see it normal to share the CV of a potential candidate, which we do not need, to a friend who happens to be looking for a candidate to fill a vacancy, without obtaining the prior consent of the potential candidate. We also have no qualms when our supermarket asks us to fill in a fidelity card form where we have to reveal our age, status, date of marriage and number of children and where there is a pre-ticked box to receive marketing materials, instead of us actually ticking the box. It is high time that we start asking “why” are we being asked to give our data. If the answer to the question is not clear and to the point, then we should refrain from giving our data or sharing the data of those for whom we are the custodian.
Has there been a significant increase in the number of complaints made to the Data Protection Office or to fines being imposed on controllers internationally?
According to the Annual Report 2020 issued by the Data Protection Office (“DPO”) of Mauritius, there has been a 3-fold increase in the number of complaints which have been made to the DPO since 2018. This shows that not only people are becoming aware of their rights under the DPA, but they are actually exercising those rights whenever they feel that there has been a breach of their personal data. Most of the complaints made pertained to the unauthorised use of CCTV cameras, the refusal to give access to data when a request is made by a data subject, or the unlawful disclosure of personal data.
At international level, we can see that year after year, data protection authorities are imposing higher fines and the number of breach notifications are also increasing. What we read from the DLA Piper GDPR Fines and Data Breaches Survey 2022 (https://www.dlapiper.com/en/africa/insights/publications/2022/) which is a survey on the emerging trends in enforcement and sanctions done across 31 European countries, there is a sevenfold increase in the fines imposed compared to last year. The highest fine ever to be imposed for non-compliance with the GDPR, was imposed in 2021 by the Luxembourg National Commission to the tune of Euros 746million on a US online based retailer. This fine is however being appealed against.
What steps should be taken to comply with the DPA?
Complying with the DPA may be a long process but each step towards compliance is a step towards being ethical and accountable towards data subjects whose data are being processed. It is also a step towards having an edge over competitors.
All natural and legal persons processing data of their clients, employees, service providers, directors and shareholders need to be registered with the Data Protection Office. It is also important to carry out a gap analysis to identify the gaps in compliance. The DPA imposes that policies and notices and assessments should be in place, security measures should be taken to protect data kept in soft or in hard, relevant forms should be filed with the Data Protection Office and ongoing training should be conducted for employees, as we all know that the weakest link is the human link.
Compliance with the DPA may be a long process, but it is a rewarding one.
This article was published in the L'Express Newspaper on 30.01.2022.