Introduction

In today’s digital landscape, data is one of the most valuable assets a company can hold. However, with great data comes great responsibility. The Data Protection Act, 2012 (hereinafter called The Act) aims to safeguard personal data and privacy. The Act’s overarching goal is to ensure that personal information is handled responsibly and ethically, protecting individuals’ privacy while facilitating the legitimate flow of information.

From a small business to a conglomerate, data protection isn’t optional. Data leaks are infamous for leading even the formidable of companies unto their knees. The corollary to these breaches has always been serious financial and reputational consequences, both of which are cardinal to the success of any company.

This blog will break down the core principles of The Act, outline what compliance with the Act looks like in practice, and provide actionable steps to help your organisation stay on the right side of the law.

What Is "The Act"?

The Data Protection Act, 2012 is a legal framework that provides for principles  regulating the processing of personal information in order to protect and reconcile the fundamental and competing values of personal information privacy under it, sector-specific legislation and other related matters.

Why Compliance With The Act Matters

• Financial Penalties or Imprisonment: A person who commits an offence under this Act is liable, on conviction to a fine not exceeding M50 000.00 or to imprisonment for a period not exceeding 5 years or to both. If the offender is a juristic person, the sentence shall be served by the Chief Executive Officer.

• Consumer Trust: Customers are more likely to engage with businesses that respect and protect their personal data.

• High-Handed Impact: There is no optionality in the compliance of The Act. Companies, big and small must protect consumers’ data.

Core Principles of The Act

• Lawfulness, Fairness & Transparency: Data must be processed legally and transparently with clear communication to the data subject.

•  Purpose Limitation: Data must  only be collected for specified, explicit, and legitimate purposes.

• Data Minimisation: Personal data can be collected if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

• Accuracy: Personal data must always be accurate and kept up to date.

• Storage Limitation: Data must not be detained longer than necessary.

• Integrity and Confidentiality: Data must be secured against unauthorised access, loss, or destruction.

• Accountability: Any organisation must be able to demonstrate compliance with all these principles.

Key Rights Under The Act

• Right to Access: Data Subjects have a right to request information about what personal data is held about them and how it is being processed.

• Right to Rectification: Data Subjects can request corrections to inaccurate data.

• Right to Erasure (Right to be Forgotten). While not explicitly mentioned in The Act, the principles of data protection, such as lawful, fair, and transparent processing, imply the right to erasure when data is no longer necessary or the processing is unlawful.

• Right to Object to Processing of Data: Data Subjects can object to processing that is likely to cause unwarranted damage or distress, particularly for direct marketing purposes.

What Compliance Looks Like in Practice

• Obtaining a clear, affirmative consent before collecting personal data.

• Implementing a robust compliance program within the organisation. 

• Creating a clear privacy policy and making it easily accessible.

• Conducting Data Protection Impact Assessments (DPIAs) for high-risk data processing.

• Maintaining an up-to-date data processing register.

• Ensuring agents are also compliant.

• Implementing technical and organisational security measures.

Steps to Ensuring Compliancy With The Act

• Audit Your Data: Understand what personal data you collect, where it’s stored, and who has access to it.

• Update Policies and Contracts: Review privacy policies, employee contracts, and vendor agreements for The Act alignment.

• Train Your Team: Employees should understand data protection responsibilities and know how to respond to data breaches.

• Prepare for Data Breaches: Establish a breach response protocol. The Act requires reporting breaches as soon as reasonably possible to the Commissioner and the data subject.

• Implement Strong Security Measures: Encryption, firewalls, secure storage, and regular audits are essential.

Final Thoughts

Data Protection compliance is not a one-time task but an ongoing commitment to respecting user privacy and safeguarding data. In an era where digital trust is critical, staying compliant doesn’t just keep you out of legal trouble, it can also set you apart from competitors.

If your business is struggling to navigate the data protection requirements, consulting with a data protection expert or legal advisor is highly recommended.

References:

John Leyden, Dan Swinhoe, and Michael Hill, "The 20 Biggest Data Breaches of the 21st Century" https://www.csoonline.com/article/534628/the-biggest-data-breaches-of-the-21st-century.html

Viikas Kummar, "Fostering Consumer Trust In The Digital Age" https://www.linkedin.com/pulse/fostering-consumer-trust-digital-age-importance-data-privacy-kumar-i8qdc

Need Help with Data Protection Compliance?

Our consultancy specialises in data protection, regulatory compliance, and risk management. Get in touch today to schedule a compliance assessment. 

Email us at aaksolutions1@gmail.com

Call: +266 58533664 | 59919591

About Author

Senior Compliance Officer at AAK Solutions. Graduated at the National University of Lesotho with a Bachelor's Degree in Law. 5 years of Academic writing and over 10 years of creative writing!

She loves literature and movies.

Email: mphoza4gift@gmail.com