Data security and privacy - is your approach holistic?

In today's digital age, there has been a growing awareness and concern about data privacy, partly due to well-publicised data breaches and misuses of personal data by companies that collect and process it.


The Banking, Telecommunications, Health, and Government sectors have traditionally collected and used personal data to fulfil their key business functions. Nowadays, nearly every organisation collects and processes large amounts of personal data for various reasons.  While privacy is not a new concept, data privacy has only gained traction in the past decade. Personal data has monetary value, with valuations varying from different sources. For example, some years ago a Financial Times report mentioned basic age, gender, and location information being valued as little as US$0.0005 per person.


In May 2023, Tanzania took a significant step towards safeguarding individuals' privacy and personal security by enacting the Personal Data Protection Act. The Act outlines the minimum requirements for safeguarding personal data and establishes principles and conditions for its collection and processing. One key principle requires that personal information be processed lawfully, fairly, and transparently, while respecting the individual's right to privacy and ensuring the data's security. This principle addresses both privacy and security risks, which are often intertwined.


Unfortunately, many organisations assume that a robust cybersecurity program can manage privacy risks as well. However, while cybersecurity programs are essential for protecting against external threats like hackers and malware, they may not fully address internal privacy risks, such as employee mishandling of data.


To effectively manage privacy risks, a comprehensive approach is crucial that goes beyond traditional security principles for an information security management system of Confidentiality, Integrity, and Availability. While these principles remain vital, Predictability, Manageability, and Disassociability should be considered as key principles that organisations should keep in mind when designing their privacy policies.

Predictability entails ensuring that individuals can comprehend how their data is being used and the possible consequences of that use. Manageability involves providing individuals with some level of control over their data, such as the ability to update or delete it if needed. Dissociability, on the other hand, focuses on separating personal data from other information. By using techniques like pseudonyms or anonymization, organisations can reduce the risk of re-identification or data breaches. This principle is especially critical in today's digital landscape, where data is collected and shared across multiple platforms.

These principles are aligned with the guiding principles under Section 5 of the Personal Data Protection Act, which include the requirement that personal data must be accurate and updated promptly and corrected or deleted if found to be inaccurate and that personal data must only be collected for explicit, legitimate purposes and not processed further in contravention of these purposes.

However, enacting laws alone is not enough to ensure that individuals' personal data is protected. It is also important to have a functional Data Protection Authority (DPA) with a clear mandate to regulate and enforce these regulations. A DPA can play a critical role in monitoring compliance, investigating breaches, and imposing penalties on organisations that fail to comply with data protection laws. Without a functional DPA, there may be gaps in the enforcement of data protection regulations, leaving individuals vulnerable to potential privacy violations.

Implementing a comprehensive approach to data protection can result in various benefits. One such advantage is by companies implementing data minimization practices in order to avoid unnecessary data storage and protection costs, which in turn helps to mitigate the risks associated with data breaches and legal repercussions.

In addition to cost savings, companies that prioritise privacy can build trust with their customers. Customers are increasingly aware of their rights and expect companies to protect their personal information. This, in turn, can have a positive impact on brand reputation and customer loyalty.

Moreover, identifying gaps in privacy practices can be beneficial for companies that already have security programs in place. Specifically, companies that hold personal data belonging to European Union (EU) citizens by ensuring compliance with General Data Protection Regulation (GDPR) as one of the strictest data protection laws.

Overall, taking a holistic approach that considers both security and privacy principles is essential for organisations that want to mitigate potential risks associated with collecting and using personal data.

Najma Hussein, is a risk assurance services manager at PwC Tanzania