Dr Martin KoyabeHead of Technical Support & Consultancy (CTO)

Cybersecurity ParabellumData Protection and Privacy

C3SA | GCSCC | OCSC Constellation Online Webinar

Date: 16 February 2020

© Commonwealth Telecommunications Organisation

• Global Status– Africa and Asia remain with nearly 52% of countries have

established legislations

Data Protection and Privacy Legislation

© Commonwealth Telecommunications Organisation

• Africa (54 Countries)– 28 Countries have

legislation (52%)– 9 Countries have draft

legislation (17%)– 13 Countries have no

legislation (24%)– 4 Countries no

information (7%)

Data Protection and Privacy Legislation

© Commonwealth Telecommunications Organisation

• What is Personal Data?

Data Protection & Privacy | Introduction [1/2]

Personal data:“Any information about a living individual which is capable of identifying that individual.”

Sensitive personal data:“Any information relating to an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, alleged or actual criminal activity and criminal record.”

© Commonwealth Telecommunications Organisation

• What is Data Protection?

Data Protection & Privacy | Introduction [2/2]

Data Protection:“It is about avoiding harm to individuals by misusing or mismanaging their personal data”

• When does Data Protection law/act apply?

If you collect, use, or store personal data then the Data Protection Act or Law applies to you.

© Commonwealth Telecommunications Organisation 6

Steps towards Data Protection & Privacy

• The following 12 tenements MUST be included into the Data Protection & Privacy Law

© Commonwealth Telecommunications Organisation

Why General Data Protection Regulation (GDPR)?

Provides more RIGHTS to Individuals:• Giving Data Subjects more control• Making Data Controllers/Processors more

accountable• Making personal data processing more

transparent• Reducing personal data security

vulnerabilities• Co-operation between Supervisory

Authorities on cross-border processing

© Commonwealth Telecommunications Organisation

GDPR Compliance | Implications to SSA countries

What’s new in GDPR:• Accountability – demonstrating

compliance• Transparency – providing information

pre-processing• Risk-based mandatory data breach

reporting (72 hours) • New and enhanced Data Subject rights• Administrative Fines• Data Protection Officer (DPO) for certain

organisations

© Commonwealth Telecommunications Organisation

GDPR-Like Data Privacy Laws [1/2]

• Lei Geral de Proteçao de Dados (LGPD) (Sep 2020)

• Australia’s Privacy Act (Feb 2018)

• California Consumer Privacy Act (CCPA)

• Act on Protection of Personal Information (May 2017)

• Personal Information Protection Act (PIPA) (Sep 2011)

• Personal Data Protection Act (PDPA) (May 2020)

© Commonwealth Telecommunications Organisation

GDPR-Like Data Privacy Laws [2/2]

• Data Protection Bill – Chile’s Constitution (Mar 2020)

• New Zealand's Privacy Act (Dec 2020)

• Personal Data Protection Law (PDPL)

• Protection of Personal Information Act (POPIA) (Jul 2020)

• Personal Data Protection Bill (PDPB) (Dec 2019)

• Digital Charter Implementation Act (Nov 2020)

© Commonwealth Telecommunications Organisation

• Only 5 African Countries Ratified (Con 108)

Data Protection | Convention 108/108+

Cape Verde

MauritiusRatified (Convention 108+)

Morocco Senegal

Tunisia

© Commonwealth Telecommunications Organisation

• SADC Model Law (2010)

Other Related Conventions

• Malabo Convention

• ECOWASPersonal Data Protection (2010)

• EAC Framework for Cyberlaws (2008)

© Commonwealth Telecommunications Organisation

• Nearly half of the countries lack comprehensive data protection laws

GDPR Compliance Challenges in SSA [1/5]

• Africa (54 Countries)– 28 Countries have

legislation (52%)– 9 Countries have

draft legislation (17%)– 13 Countries have no

legislation (24%)– 4 Countries no

information (7%)

© Commonwealth Telecommunications Organisation

• Implementation is not easy– Conflict between existing Data Protection Laws and

GDPR demands.

GDPR Compliance Challenges in SSA [2/5]

© Commonwealth Telecommunications Organisation

• Lack of adequate resources – Challenges in funding, resource allocation, poorly

skilled staff and inadequate infrastructure.

GDPR Compliance Challenges in SSA [2/5]

• Lack of harmonisation across initiatives– Need for cross border flow of data, across African

countries that supports emerging initiatives, such as Africa Continental Free Trade Area (AfCFTA).

© Commonwealth Telecommunications Organisation

• Enforcement limitation within SSA jurisdictions– Data protection authorities are not issuing enough

legal sanctions and not punitive to deter future violations.

GDPR Compliance Challenges in SSA [4/5]

• Balance between individual data subject rights & public interest or national security– Many governments are deploying surveillance

technologies that trumps individual rights.– COVID-19 challenges in terms of contact tracing

technology etc.

© Commonwealth Telecommunications Organisation

• Technological innovations moving faster than enacted policies and laws – E.g. Use of Artificial Intelligence (AI) to undertake

data processing and decision making. Dealing with new technologies engaged in automated decision making remains a challenge.

GDPR Compliance Challenges in SSA [5/5]

• Political WILL is critical– Leaders MUST champion adherence to the RULE

OF LAW and the HUMAN RIGHT of individuals to personal data protection.

© Commonwealth Telecommunications Organisation

Further Information Contact:

Dr Martin KoyabeEmail: martin.koyabe@cto.int

Tel: +44 (0) 208 600 3815 (Off)+44 (0) 774 261 0688 (Mob)

18

Q & A Session