When it comes to personal information, your privacy is protected by law, especially when that information is in the hands of corporations.
At iTouch, we believe in implementing the best security tools and protocol in order to protect our clients. Making iTouch one of the few providers in Africa that adhere to the both the POPI Act for South Africa and GDPR for Europe. Our Management team are also active contributors to The Mobile Fraud Messaging Framework.
In order to understand how ground-breaking this is, let’s look at what each of these legislations comprises of.
Protection of Personal Information Act (POPI)
The intention of the POPI Act is to establish that all South African institutions conduct themselves in a responsible manner when gathering, processing, storing and sharing another entity’s personal information. Any institution collecting this type of information has to follow the POPI protocol to the T and will be held accountable should they abuse or compromise your personal information in any way.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law which ensures data protection and privacy for all individuals within the European Union. It also covers protocol relating to the distribution of personal data outside the EU.
The European Union General Data Protection Regulation (GDPR) is a set of procedures about how companies should process the personal data of data subjects. GDPR lays out responsibilities for organisations to ensure the privacy and protection of personal data, provides data subjects with certain rights, and assigns powers to regulators to ask for demonstrations of accountability or even impose fines in cases where an organisation is not complying with GDPR requirements.
Understanding GDPR requirements can sometimes be a daunting task. So, let us take a closer look at the key fundamentals:
1. Lawful, fair and transparent processing
All companies that process personal data are asked to do this in a lawful, fair and transparent manner.
2. Limitation of purpose, data and storage
All companies are expected to limit the processing, collect only that data which is necessary, and not keep personal data once the processing purpose is completed. This would effectively produce the following guidelines.
3. Data subject rights
The data subjects have been allocated the right to ask the company what information it has about them, and what the company does with this information. In addition, they have the right to ask for corrections, object to processing, lodge a complaint, and ask for the deletion or transfer of his or her personal data.
As and when the company has the intent to process personal data beyond the legitimate purpose for which that data was collected, a clear and explicit consent must be granted by the data subject. This consent agreement must be documented, and the data subject is allowed to withdraw his or her consent at any moment.
Also, for the processing of children’s data, GDPR requires the explicit consent of the parents (or guardian) if the child’s age is under 16.
5. Personal data breaches
The organisations must uphold a Personal Data Breach Register, based on severity, and the regulator and data subject should be informed within 72 hours of identifying the breach.
6. Privacy by Design
Companies should integrate organisational and technical mechanisms to protect personal data in the design of new systems and processes; that is, privacy and protection aspects should be ensured by default.
7. Data Protection Impact Assessment
The Data Protection Impact Assessment is a process that needs to be carried out when a significant change is introduced in the processing of personal data. This change could be anything from a new process or a modification to an existing process that alters the way personal data is being managed.
8. Data transfers
The controller of personal data is accountable to guarantee that personal data is protected and GDPR requirements are respected, even if the actual processing is being done by a third party. This means controllers have the obligation to ensure the protection and privacy of personal data when that data is being transferred outside the company - to a third party
9. Data Protection Officer
The Data Protection Officer will have the responsibility of counselling the company about compliance with EU GDPR requirements.
10. Awareness and training
Organisations must create awareness among employees about key GDPR requirements, and conduct regular training sessions to ensure that employees remain aware of their responsibilities with regard to the protection of personal data and identification of personal data breaches as soon as possible.
The Mobile Fraud Messaging Framework
This framework was created to
- Provide an understanding of why fraud exists.
- Recognise the 13 different types of fraud which affect the ecosystem today.
- Identify the different communities and parties within the ecosystem.
- Consider the impact of fraud on the whole ecosystem.
- Learn what steps can be taken to protect against fraud.
Additionally, this framework adds that they identify, define and map 13 different fraud types, using real-life examples of how fraud can occur in order to provide the best solutions.
Leading the way
With all of these security measures in place, iTouch can proudly say that we are the leading African Messaging Provider and that is why your information is safe with us.
We specialise in a range of mobile messaging services including bulk messaging and USSD. iTouch is also one of the few messaging companies in Africa that abide by GDPR and POPI security standards. If you need assistance in building effective messaging solutions for your business, contact us to see how we can help.