Understanding different standards of data privacy across international frontiers is essential in our increasingly globalized digital world. Today we’ll explore the GDPR (General Data Protection Regulation) implemented by the European Union, POPI (Protection of Personal Information) championed in South Africa, and the ISO 27018, an international standard framed by the International Organization for Standardization.
What is GDPR?
The GDPR, instated in May 2018, has reshaped data privacy rules within and beyond the European Union. Serving as a key milestone in digital rights, it has heralded comprehensive changes in the field of data protection.
Under GDPR, users enjoy stronger personal data rights, viz., the right of access, right to rectification, right to data portability, among others. This policy mandates that businesses must prioritize respective consumer rights whilst processing their personal data.
Companies found flouting GDPR regulations face fines of up to €20 million or 4% of their global turnover, whichever is higher, reinforcing the importance of adhering to the established data protection safeguards.
What is the POPI Act?
Parallelly, South Africa has joined the data protection forefront with its Protection of Personal Information (POPI) Act, aiming to seal legal gaps regarding personal data regulations.
Similar to GDPR, POPI also offers individuals several rights in relation to their personal data. These include the right to be informed when data is collected, the right to interrogate whether information is held and to access it, and the right to ask for a correction or deletion of personal data.
Breaching the provisions of POPI can lead to a maximum fine of ZAR10 million or imprisonment for up to 10 years, underscoring the grave consequences of violating data privacy laws.
What is ISO 27018?
ISO 27018 charts an international pathway of standards specifically designated to safeguard Personally Identifiable Information (PII) in public cloud environments. It marks a global commitment to data privacy.
The principles of ISO 27018 pivot around minimizing data collection, obtaining user consent for data processing, providing transparency about the data handling process, restricting data transmission, securing data, and providing the user with direct control over their personal data.
While ISO 27018 is not a legally mandated standard, adherence signals a company’s commitment to best practices in data privacy. Non-compliance doesn’t lead to legal penalties but might risk damaging the reputation of companies.
GDPR vs POPI vs ISO 27018
The GDPR and POPI act bear resemblance, providing individuals with various rights concerning their personal data and levying hefty penalties for non-compliance. Nevertheless, their application depends on the geographical areas where the processing of personal data occurs.
Contrarily, ISO 27018, being a voluntary standard, doesn’t come with legal implications. However, its global setup and tie to cloud services set it apart from GDPR and POPI Act.
In conclusion, while GDPR, POPI, and ISO 27018 share a common goal to protect personal information, they distinctively approach, implement, and enforce data security measures. Understanding these differences is critical for businesses serious about data protection and privacy.
FAQs
- Lawfulness, Fairness, and Transparency.
- Purpose Limitation.
- Data Minimization.
- Accuracy.
- Storage Limitation.
- Integrity and Confidentiality (Security).
- Accountability.
Even though the UK has left the EU, it has its own version of the GDPR called the UK GDPR. It’s almost identical to the EU GDPR and ensures the same level of data protection for UK residents.
GDPR is a regulation that protects people’s personal data in the EU and UK. It is important because it ensures individuals have more control over their personal data and obliges businesses to safeguard this information.
-
The 8 conditions of the POPI Act are:
- Accountability: The responsible party is held accountable for personal information processing.
- Processing Limitation: Personal data must be processed in a reasonable and lawful manner without infringing on the data subject’s privacy.
- Purpose Specification: Personal data should be collected for a specific, explicitly stated purpose.
- Further Processing Limitation: Further processing must maintain continuity with the original purpose of data collection.
- Information Quality: Data collected must be complete, accurate, not misleading, and updated when necessary.
- Openness: The data subject should be aware that their data is being collected and why.
- Security Safeguards: Adequate measures should be in place to protect the data from loss, damage, or unlawful access.
- Data Subject Participation: The data subject has the right to access and correct their personal data.
- Personal contact details such as name, address, telephone numbers, date of birth, etc.
- Identification information such as ID number, passport number.
- Financial information such as bank account numbers, credit card details, income or credit history.
- Employment details, health information, and biometric data like fingerprints, voice samples, or facial recognition data.
- Personal opinions, preferences and interests.
-
All public and private bodies in South Africa that process personal information must comply with the POPI Act. This includes, but isn’t limited to, corporations, governmental agencies, non-profits and sole proprietors.
ISO 27018 is an international standard providing guidelines for protecting personally identifiable information (PII) held in the cloud, ensuring a specific level of security controls.
ISO 27001 is a broader standard that provides the framework for an organization’s information security management systems (ISMS), ensuring data security across all aspects. ISO 27018, on the other hand, is a specific guideline focusing on the protection of personally identifiable information (PII) in cloud environments.
ISO 27017 is dedicated to providing security guidelines for cloud services, including recommended security controls for both cloud service providers and their customers. ISO 27018, however, focuses specifically on the protection of personally identifiable information (PII) in cloud computing environments.
ISO 27701 extends ISO 27001 and ISO 27002 to cover privacy information management, including processing and controlling personally identifiable information (PII), thus providing a framework for privacy information management systems (PIMS). ISO 27018 is a guideline specifically focusing on cloud-based environments, outlining controls for securing PII held in the cloud.
