Understanding the Data Protection Act 2021.

What does the Data Protection Act mean for Information Security?

Information Security also sometimes referred to as IT Security or cybersecurity sits on three legs. That is confidentiality, integrity and availability. Confidentiality in this case means keeping sensitive data private and inaccessible from people who aren’t allowed access to it. Integrity means data should be as is when required. So if I have let’s say data about a person, at any point when I want to access that data, it should not have been changed or deleted. It should be whole and valid. Availability means data should be accessible at the point I need it. If you want to view your bank statement on an app or online banking etc, it should be accessible to you at that point. The existence of a Data Protection Act (DPA) ct helps support information security and the work we do, it provides stipulates what is required by anyone controlling or processing data to keep that data secure.

The DPA has some benefits for Businesses.

The Zambian constitution has a part that refers to the right to privacy and in past years, we’ve had acts that try to support that. But we didn’t have an act that specifically deals with personal data to this degree. For most businesses, especially SGBs and SMEs, the act might seem like more work to do. While certain aspects make it true, there are some compliance benefits. Here are four benefits for businesses:

  1. When an organization follows this act, they are less likely to suffer from cybercrime. Their systems would be protected because the act has stipulations that organizations that have access to personal data should put in place, which are technical security measures to limit data leakages and data losses.
  2. Compliance with this act can improve business processes and bring better awareness of what security vulnerabilities are in an organization. Initially, businesses would collect just about any data from their customers, even data that was not necessary or required at that particular time. Now, businesses need to think carefully about what the data they’re collecting is needed for and communicate that to their customers. That means companies will collect data that is necessary to achieve their business needs, as per their strategy.
  3. Better data management. An organization can conduct an audit to see what data they have, how it is collected and what it is used for. This can help create a framework of what data they need to keep collecting, how often they need to collect it and what data they should forgo. It helps reduce how much data they collect which makes and streamlines data processes.
  4. The DPA gives the organization credibility. Customers, investors and potential partners can trust that you have measures to secure data and therefore, abide by the right ethics.

How does the Zambia DPA compare with other countries in the world with regards to securing the information systems?

According to the United Nations Conference on Trade and Development (UNCTAD), 71% of countries have data protection legislation while 9% have a draft. Zambia is among the 71% so what we now need to do is keep refining. Securing systems has many different aspects. There are risk assessments, security awareness, implementation of technical measures such as multi-factor authentication and end-to-end encryption, development and implementation of security policies and so on.

The act has a provision for the data protection commissioner to license data auditors. Having a data auditor perform a data audit is a form of risk assessment which is an important aspect of information security. Knowing what data you have and the risks surrounding it helps to put in place appropriate measures to safeguard the data.

Another function of the auditor is carrying out security awareness which is another important part of information security. When people are aware, both inside and outside of the organization, security posture is enhanced. As the common saying in information security goes, “the weakest link in security is a human”. Sophisticated tools and systems do help to keep information and information assets safe but if people do not understand the need or basics of security, it creates a loophole for cybercriminals.

Organizations need to provide guarantees regarding the technical and organisational security measures employed to protect personal data. Conduct impact assessment for new processing activities which may likely result in rights and freedoms of individuals. Implement things like access management, data protection policies, periodic revies of security measures and encryptions of data.

Comparison of the Data Protection Act in Zambia, Protection of Personal Information Act in South Africa and General Data Protection Regulation in the European Union.

They are similar in terms of what is defined as consent and instances where you are allowed to process data such as when it is a legal obligation, when it is beneficial to the public interest and when it's vital to an individual or another person.

It is worth noting though, that General Data Protection Regulation (GDPR) is far-reaching and more specific compared to other acts. Some say it’s the toughest privacy and security law in the world because it’s detailed and has strict compliance objectives. The GDPR applies to both EU and non-EU companies that conduct any business with customers in the EU, or collect and process the personal data of EU citizens. However, the regulation only applies to organizations that provide business services. The recitals give more detail about the exemptions for SMEs, while the Protection of Personal Information Act (POPIA) and the Zambian Data Protection Act (DPA) apply to all companies regardless of size. On the other hand, GDPR and the Zambia data protection act have requirements governing data portability, while POPIA does not.

GDPR has significantly higher fines but no criminal charges, while the Protection Of Personal Information Act of South Africa and the Zambia Data Protection Act do include criminal charges. More information can be found on the Comforte Blog. For our Zambia DPA specifically, criminal charges are for an individual while a corporate organization will have to pay a fine.

In conclusion, technology is always evolving at a fast pace. And so countries must have acts that address the ever-growing amount of data. If data is the new oil, then you can see the need to have regulations around it. Laws and regulations should be reviewed and refined to fit with societal needs which regulators like ZICTA can champion. One of the biggest issues that hamper information security is that there is little to no awareness, so regulators and even individuals well versed in such topics need to sensitize people on the right ways to use technology. Securing systems can also be quite expensive and for a developing country like us with many SMEs, having information security professionals or buying information security tools might not be a business’s first objective. However, the reputation after suffering a data breach, the fines you may have to pay and the loss you may face are huge compared to protecting your systems. Having this act puts us many steps forward in fighting cybercrime. If companies can adhere to the act, we can see significant decreases in data breaches.

--

--

--

Hi there! I am passionate about digital rights and creating an inclusive world. Join me on my journey.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to use a Ledger Nano S with BTDEX to secure your BURST and TRT

{UPDATE} Tappy Hoop Hack Free Resources Generator

Local File Inclusions (LFI)

933K cracked passwords of Minted.com users available for sale

Make your website secure with these tips

U.S. Attorney Dena J. King Announces Return of 12.1 Stolen BTC to an Elderly Victim — Derev Blog

To Pay or Not to Pay — That is the Ransomware Question

Google Sued for $5 Billion For Tracking Users Even in Incognito Mode | GarimaShares

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Paula Nkandu

Paula Nkandu

Hi there! I am passionate about digital rights and creating an inclusive world. Join me on my journey.

More from Medium

CISO MindMap 2022: What do InfoSec Professionals really do?

Splunk Enterprise — Q&A — 3

Meeting the Cloud Challenge While Achieving Compliance Success

FUNDAMENTALS OF CLOUD COMPUTING