Today is World Data Privacy Day and the subject of data protection is getting users worked up across the globe. Not Even Tesla CEO Elon Musk’s proclamation that ‘Use Sginal’ is helping to assuage outrage over data privacy, sparked by WhatsApp updating its terms and conditions recently. Users are demanding to know why governments are reluctant to punish tech behemoths siphoning their data without consent and selling it to third parties, with impunity.

Afcacia’s DAPHNE OLOO spoke to Andrew Bourne, Regional Manager, Africa, at Indian multinational technology company that specializes in software development and cloud computing, Zoho Corporation about the evolving nature of data privacy.

1. Why do you think data privacy matters now, more than ever?

While people’s data can be used for good, ensuring that they receive more targeted advertising, it’s important that it be kept safe and secure.

Around the globe, businesses may unwittingly be providing third-party services with not only their own data but also that of their employees and even customers. Unless you’re in the know, it can be challenging to spot this kind of surveillance.

If the third-party company collecting the data doesn’t have robust security, it could result in a data breach that leads to exposure of customer data and sensitive business information. An average data breach today costs Sh400 million, which can have an irrevocable impact. There are also legal implications.

2. Many countries in Africa still lack a data law, how is this affecting efforts to protect citizens against data breach on the continent?

Without adequate laws in place, there may not be enough incentive for companies to protect their local customers’ data. While they may suffer reputational and financial damage, that might not be incentive enough for those companies to embrace the technology, processes, and procedures necessary to protect their customers’ data.

If businesses in African countries offer goods or services to customers that are protected by the European Union’s General Data Protection Regulations (GDPR), then they will need to comply with GDPR. If not, and there is a data breach, those businesses could face a fine of up to Sh2 billion.

3. Some companies are already using Facial Recognition for surveillance even after IBM abandoned it. Where do we draw the line when it comes to identifying people’s faces without their consent and giving them physical security?

Consent should always be obtained when using someone’s personal data. Here again, the issue isn’t so much the technology itself but how it’s used and where the facial recognition data is stored.

Facial recognition can be used in HR management software, in a positive way to help prevent identity theft, in other words detecting someone pretending to be someone they are not. This in turn prevents data theft, tampering and other illicit activities.

4. Nigeria is in advanced steps of merging citizen sim cards and national IDs. Kenya is implementing Huduma Namba, how can African governments ensure these initiatives don’t breach the privacy of its citizens?

The steps governments need to take when it comes to protecting their citizens’ data are the same as companies should take, if at a larger scale. A good place to start is by choosing technology solutions that do not rely on ad-based revenue models.

Online advertising and data privacy are mutually exclusive. Any technology solution that runs a business by displaying ads within their offerings in return for their freemium software cannot guarantee full privacy for you, your employees, and your customers.

It’s also a good practice to check whether the technology solution follows a security-first approach to protect personal data such as using robust encryption techniques and securing data transfer channels. Further, a regular assessment of their privacy policies can help you understand if they are as open and transparent as possible about what information they’re collecting if they follow a clear consent system, and what they use the data for.

5. Google, Facebook, and all social media companies are tracking the data of Africans every day. They have amassed so much data from people’s phones without their consent, and have made a lot of money through online ads using that free data. What do you make of this?

For the most part, data tracking on social media is done with consent, most people just don’t read the terms and conditions when they sign up to these companies. But internet surveillance and tracking goes far beyond what social media sites do.

Some tracking methods are so widely used that several technology providers have built businesses worth billions of dollars using this model. The websites and descriptions of these renowned data brokers and aggregators openly display the depth and breadth of the information they gather. Put simply, it’s a complete surveillance of our lives online.

6. Kenya’s data law, for instance, provides a maximum of Sh5 million as fine for companies found breaching data protection, which is a very small amount compared to GDPR’s Sh2 billion. How can this influence how data companies approach privacy?

While the amount may seem relatively small to a company like Safaricom, for instance, it will still likely be big enough to draw headlines. The reputational costs for any company in contravention of the data law may be bigger than the actual cost.

What will be important is how strictly and widely the law is monitored and prosecuted. Also, if they store data of a customer from Europe, then they will need to comply with GDPR. Therefore it is best-practise to use a technology solution that is GDPR compliant.

7. Even after acknowledging the ramifications of data malpractice, companies are still sharing customer data with others, or selling it to third parties secretly. Why is this so?

It’s common for businesses to embed third-party tracking services (like Google Analytics, conversion tracking, and DoubleClick ads) in their websites to understand prospect preferences, improve user experience, and also reach a wider audience.

The personal data collected by the tracking cookies are usually sold by the third-parties to the highest bidders (usually advertisers) for profit maximisation. The information can be used by the advertisers to build a detailed profile about the data owner. This information could include our identities to even our personal preferences.

But this is something that should be avoided at all costs. When people use a company’s digital products, the company should never let surveillance companies track their behavior. As part of this, companies should remove from their websites all third-party trackers of companies with ad-based business models.

This is to protect people from ad companies tracking them without their knowledge. Companies should be far more interested in providing customers with quality products and protecting the trust that we they have built with their users, who, in most cases are millions in number. ‚Äč