Big Data and Data Protection in South Africa

Intellectual Property
Home / IP Insights / Big Data and Data Protection in South Africa

In 1996, Bill Gates wrote an essay entitled “Content is King”, alluding to how he predicted money to be made through the Internet. As true as that is today, with the advent of big data, artificial intelligence and machine learning, one could argue that this expression may be quickly replaced with “Data is King”. Data is one of the most valuable assets in the current economy, being readily leveraged, licenced and traded.

European Union (EU) General Data Protection Regulation

Whilst data can relate to any field or technology, it can also involve personal information of data subjects. In South Africa, the processing of any such personal information is subject to the Protection of Personal Information Act (POPI Act). The POPI Act, which forms South Africa’s data protection law, bares many similarities with the European Union (EU) General Data Protection Regulation (GDPR).

Amongst other things, the POPI Act places an obligation of responsible parties (i.e. companies or individuals determining the purpose and means of processing personal information) to take appropriate measures to protect any personal information of data subjects in its possession or under its control. This obligation relates directly to cybersecurity, to taking practical steps to ensure protection whilst also developing policy and organisational measures to do so. These steps are aimed at preventing any unlawful processing of personal information of data subjects – whether by the responsible party itself or any external parties (e.g. in the case of a data breach).

When it comes to data processing of big data in an artificial data or machine learning environment, is becomes necessary to distinguish between data containing personal information (i.e. information related to an identified or identifiable natural person) and data that is not considered personal information (i.e. cannot be linked to a natural person). In South Africa, the POPI Act only applies to the former category however, in practice applying the same data protection policies across board may be easier to implement. For example, the POPI Act specifically requires upfront disclosure by the responsible party of the purpose for which the personal information is being collected and how the personal information will be used. If the data containing personal information will be utilised in multiple artificial intelligence applications, all of these applications must be disclosed to the data subject in order for them to informedly consent to the data use. As such, even if impersonal data will only be used in a particular application, clearly informing the data subject of potential further uses of the data is essential. Smit & Van Wyk can assist with tailoring a data protection strategy to your particular business and data usage.