Software products are often bought because of value add functionality, consumer appeal and the global use that companies rely on to boost sales and user engagement. The focus is on user interaction and not on the ‘behind the scenes’ data collecting practices of the software companies. The challenge for business is that the Protection of Personal Information Act 4 of 2013 (POPI Act) compels businesses to know how the software companies process personal information. See example 1 (the name of the service provider has been changed to SP1):
Messages. SP1 cannot decrypt or otherwise access the content of your messages or calls. SP1 queues end-to-end encrypted messages on its servers for delivery to devices that are temporarily offline (e.g. a phone whose battery has died). Your message history is stored on your own devices.
Contacts. SP1 can optionally discover which contacts in your address book are SP1 users, using a service designed to protect the privacy of your contacts. Information from the contacts on your device may be cryptographically hashed and transmitted to the server in order to determine which of your contacts are registered.
For a comparison, see example 2 (the name of the service provider has been changed to SP2):
In carrying out these purposes, we combine data we collect
from different contexts (for example, from your use of two SP2 products) or
obtain from third parties to give you a more seamless, consistent, and
personalized experience, to make informed business decisions, and for other
legitimate purposes.
To be fair, the two examples do not show the full extent of the commitment of the software companies, but they demonstrate how differently two service providers can process data. What is the right approach? The answer lies in a key requirement of the POPI Act: the risk management framework. It clarifies the risk appetite of the business and helps business make informed decisions. Using popular software business tools and monitoring data collecting practices and complying with the POPI Act can be overwhelming. The trade-off is risk-based: business may choose to implement products that have limited user functionality but that fall within the limits of their risk appetite. Data protection is not an income generating activity so business should try create a culture of data protection by design. One way is to adopt certain measures when engaging with software companies:
- Asking for a demo or proof of their data collection practices
- Before signing them up, requiring them to complete infosec questionnaires
- Conducting information security tests. The list is not complete. The point I’m making is that it is simply too risky with the POPI Act to use software without fully understanding the software companies’ rights to that software.