Josephina: Your aspirations are not limited by your background

Dar es Salaam. When you hear the title Data Privacy Technologist, what first comes to mind? Like me, you might be curious as to what role a person with this title does, especially in Tanzania where technology and data privacy issues and regulations are still a work in progress.

Earlier this year, the Personal Data Protection Act came into effect and, in my curiosity, I realised that not many people I conversed with could fully explain what it entails.

The Personal Data Protection Act was passed as a recognition of the right to privacy and personal security, enshrined under Article 16 of the Constitution of the United Republic of Tanzania, and it sets the minimum requirements for the collection and processing of personal data in Tanzania.

While many may be able to read and understand the general direction, we may not necessarily understand how to apply it in our lives.

When I sat down with Ms Josephina Nshunju, she got down to the nitty gritties of data privacy and I would be lying if I said I understood everything she said - I'm working towards it though.

Josephina is a Data Privacy Technologist for Volvo Autonomous Solutions and as she puts it, her major role is to ensure that the organisation is compliant with the requirements of data privacy laws and ensure that privacy by design is embedded in the technologies that are introduced by the organisation

These laws include those set by the General Data Protection Regulation (GDPR) and all other related cyber security principles.

Josephina is also an Advocate of the High Court of Tanzania, as well as the Founder and Director of the Tanzania Privacy Professionals Association (TPPA).

Her journey with technology started when she was introduced to the GDPR which is the world's most comprehensive data protection legislation which made it inevitable for her to come into contact with the technology area.

“I was introduced to this area by a former university mate who is now a colleague and partner. She’s an expert in data protection and she advised me to look into the privacy industry, especially since during my first degree, one of my optional studies was human rights, and if you trace the right to privacy, which gives rise to data protection laws and cybersecurity laws, and information security; it emanates from the human rights - the right to privacy - which has been adopted by many countries that have signed to the UN treaty,” Josephina narrates.

“In the constitution of Tanzania, you will find it under Article 16, and that being my foundation, I was very interested to learn more about data protection in the privacy industry,” she adds.

Keeping in mind that getting some of the most valued certification in data protection is quite expensive, Josephina had to begin with self-studying on the GDPR and what the industry was like, with assistance from her colleague.

During the period of self-study, she managed to get an internship position with a UK consulting firm that works in the privacy industry, and was also able to do the internship long distance for about nine months.

“My main role was case analysis. I would review the different cases, decisions and enforcement actions around data protection, cybersecurity and analyse to see how the organisation breached these laws and what the mitigations around that were,” she explained.

“As a data privacy technologists and working in the privacy department, our major role is to ensure that the organisation is complying with the requirements of data privacy laws and as a technologist, my role is to ensure that we embed what we call privacy by design, in the technologies that are introduced by the organisation,” Josephina shares.

Privacy by design and by default, according to Article 25 (2) of the GDPR refers to creating a system where only personal data which are necessary for each specific purpose of the processing are processed and data controllers must structure their systems and processes to meet the concept of data minimisation.

This means that any particular application that a person creates is embedded with features that protect the rights of the data subjects and not fall into the wrong hands. Additionally, Josephina’s role mandates her to analyse these features to ensure that a minimum amount of data needed to perform a task is collected, as well as how said data will be stored, ensuring that it is not stored for a period longer than is permitted by the law.

“A lot of times, you find that most developers are equipped with the ability, but don't often have it as a thought that as they are creating and inventing this technology, to deeply consider the people who are going to use this technology because one of the biggest fears that we have is having your identity stolen. So if people who are inventing these technologies, don't put into consideration how they can protect you as an end user, that is where people like me come in,” she explains.

Throughout her journey into tech, one glaring challenge she noticed was the issues that arose out of the misconception that it is a man’s world and that only those with the predisposed engineering gene automatically found it easy to take IT-related courses.

“For far too long, it has been ingrained in us that it is an area for people with an IT background and for Tanzania, this also meant those who pursued the PCM combination. This misconception led to concerns that there would be a lot of odd hours of work which perhaps many ladies aren’t in favour of, but this is all a result of the mental set-up we’ve had,” she explains.

“The technology industry is so big. There are so many aspects of this industry that ladies can find their space in and thrive. The area that I'm practising in also faces the misconception that only lawyers and people with IT background can venture into, at least in data protection and privacy.”

However, Josephina disputes this and shares that with technology, your background is never a limitation, it is rather a starting point. “In my area of practice, one of the basic requirements to be a good data protection technologist, a privacy practitioner, or a privacy analyst; is that you must understand the law,” she explains.

“For example, now we have the Personal Data Protection Act of Tanzania, which came into force on May 1 this year which for a person working in my area, understanding it is a basic requirement.”

You must know what the law wants to be able to implement it. Even those with IT backgrounds must understand the Cybersecurity Act to be able to implement it and work within the margins of this framework.

“This is one industry that I know of that has not limited people's entrance based on their educational background because it sprung on us without us being prepared, so it is open to anybody who is willing to learn and put in the work. It is a lot of hard work, a lot of diligent reading and preparation,” she explains, adding that it is also borderless and what you need to do is to bring your abilities and your qualification to the world class level, which takes work but will keep you agile enough to grab opportunities as they come.

As a believer that sharing knowledge is key to growth, Josephina took it upon herself to do what she can to educate her fellow countrymen.

“Having gotten the access to this knowledge, I realised the gap we have here at home, and to be able to give back I partnered with a very young man who recently finished his degree from Mzumbe University to set up TPPA,” Josephina shares.

The association is a collective of individuals from the tech industry, legal, cybersecurity, IT, data protection and other tech-related professionals who share knowledge that in the future, hopes to shape industry policies, create educational material and compiled case laws.

The platform has created a community of members from different places. She is also a founding leader of the Association of Privacy Professionals in Africa which is registered in the USA because most of the founding leaders are in the diaspora. The goal is to bring together lawyers who practise in the privacy industry space.

This industry doesn’t just affect the professionals. While many countries already have data protection laws in place, many of which have been copied from the GDPR, the challenge now is to harmonise and localise them from the western principles to the African context.

“I may be qualified in this area, but if the end users - the everyday people - don't have the knowledge of their rights, it still defeats the purpose. The majority of this information is in English and we need to find ways to educate our people and create syllabuses that introduce this knowledge in a way and language they can understand,” she said.

Doing this, she believes, will set us on the right path to developing a pool of our own local talent and innovators, hence being able to have localised case studies of what exactly works for us and create relevant industry policies and frameworks to govern Tanzania’s tech ecosystem for the benefit of Tanzanians.

This article is supported by the Bill & Melinda Gates Foundation