In today’s highly digital age, people are acutely aware that their data is always being collected.
Your organisation by virtue of being in operation, is probably collecting a lot of personal data from the following activities and your stakeholders know it:
· Recruitment activities,
· employment activities,
· social networking activities – websites, social media (facebook, IG, twitter),
· sales / trading activities,
· marketing / promotional activities actions,
· Procurement activities,
· Healthcare activities,
· Training activities,
· Social networking, and
· IT / Network provider activities.
As a result of this, people will be suspicious if you have not made available a privacy policy public for their review as they interact with your organisation.
You can immediately see the channels, processes etc that need to have ready, a document that outlines your organization’s data practices.
That document will be picking up from existing practices within your organisation to detail how you collect, use, share, store or secure personal data. The document is a Privacy Policy.
Let us not complicate what a Privacy Policy is. Your organizations probably already have multiple policies that guide and help manage multiple processes.
A privacy policy is not any different from those other policies in terms of how it’s intended to work. Have that in mind as we review the importance of privacy policies.
First things first, your organization is legally required to have a privacy policy if you collect personal information.
A privacy policy frameworks your data governance practices.
"But my organisation does not explicitly collect or use personal data", you may say. I doubt that is true having regard to what is covered under personal information and the typical activities that facilitate its processing.
Your organisation is probably collecting and therefore processing personal data, without you even realizing it.
You have a website right? Your website probably uses cookies or other technologies placed on your users terminal equipment: computers or mobile device, wearable technologies, smart TVs and connected devices.
These technologies process your users - customers / visitors personal data and trends. They collect unique IDs, usernames, passwords, domains, logins, IP addresses, location etc, which may be used individually or collectively to profile people.
By law, your customers or users of your services have a right to
- be informed of the existence of these technologies,
- be informed whether there is a legitimate specific reason for them (up to 6), and
- depending on the reason, give an opportunity for a user to consent to you collecting that information.
Have you ever checked if your website uses cookies or other technologies, how many they are and who is benefiting from or is responsible for those technologies? There are ways to do this and they are easily accessible.
You need to have a privacy policy that specifies who these people are, their location and why they are receiving this information as part of consent management.
If your website, platform or app does not have a privacy policy, you are putting your business at risk of fines (as recently happened to OPPO Kenya Limited who was fined KES.5M for data compliance violations), complaints to the ODPC by disgruntled users or loss of trust by your customers.
Compliance will protect your business.
Please note that the risk of non-compliance is not remote. As of 30 September 2022 (now past), the Office of the Data Protection Officer said it had received 1,030 complaints against various organizations.
According to the ODPC, the investigations above, ‘documentary assessment' preceded the investigations.
Can you prove that a person consented to cookies and other technologies being installed in their terminal equipment? Also, can you prove that the consent was clear, unambiguous and freely given?
There are technologies that manage cookie consents. It is important to be acquainted with them because at the heart of compliance is documentation.
Now that we have established that the chances of you collecting personal data is high, let us cycle back to Privacy Policies.
A policy acts as a guide for your data practices – it is a reference document that outlines existing practices.
Do not take its creation and availability as a check off item without reviewing it against existing processing practices and confirming their alignment. Doing so will means misinformation and weak or lack of enforcement of your own privacy policy.
Example: Suppose you say in your policies that your lawful basis for processing information is consent, this needs to be reflected in practice and you must be able to demonstrate that consent was given.
If on the other hand, your Cookie Banner utilizes dark patterns and contains pre-ticked boxes, your practices will not be aligned to your policy provisions. In such cases, your organisation has not only misinformed the ODPC in your registration filing on your data practices, but has also misled the owners of the personal data on the same. Misalignment between policy and practice is a compliance issue.
MZIZI Africa can guide on technologies that manage cookie consents, advice on cookie banners and accountability practices. Help on setting up compliant data governance systems is within reach. Connect to know more.
As well as blogs, we regularly publish new Communication Tools to help you reach your training, communication and compliance goals.
Meanwhile, look out for new communication tools that you can start using today, for free. Use these tools to inspire, refine and plan your internal compliance strategy. Download a free Compliance Planner for June 2023
Also, if you are looking for a one stop compliance solution, why not speak to us to organize a free demo of our fully resourced compliance management system incorporating Training/LMS, Policy Management, Whistle blow Program, Reporting & Monitoring management and many more.
This article is for information purposes only and is not intended to provide legal advice. For more information on this issue or other legal services please contact us at info@mzizi-africa.com
Comments ()