A comparison of compliance with data privacy requirements in two countries

Veiga A Da, R Vorster, F Li, N Clarke, S Furnell

Research output: Contribution to journalConference articlepeer-review

Abstract

In the United Kingdom (UK), the Data Protection Act (DPA) has been in force since 1998, whereas South African (SA) organisations are preparing for compliance with the Protection of Personal Information Act (POPIA). The objective of this research is to compare aspects of data protection compliance between the UK and SA to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in an online context compared to a country that is preparing for compliance, using the results to make recommendations for non-compliance aspects. To fulfil the research objective, an insurance industry multi-case study was conducted. Similar data privacy requirements from the DPA and POPIA were selected for the multi-case study and as such, consent for direct marketing, secure processing of personal information (PI), privacy policies and sharing of PI collected via websites were evaluated. For each country, PI of four created consumer profiles was deposited to 10 insurance company websites in each country to evaluate the requirements. The results showed that some of the websites did not honor the selected opt-out preferences as direct marketing material was sent to the SA and UK consumer profiles. Forty two unsolicited third party contacts were received by the SA consumer profiles indicating unconsented distribution of PI in SA. In comparison, no unsolicited contacts were received by any of the UK profiles. The results demonstrate that the UK, being regarded as a jurisdiction with a heavy stance towards privacy implementation and regulation, is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study. SA insurance organisations should ensure that the noncompliance aspects are addressed and can learn from the manner in which the UK insurance organisations implement the privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking to aid with compliance to the DPA and upcoming General Data Protection Act.
Original languageEnglish
Number of pages0
Journal26th European Conference on Information Systems: Beyond Digitization - Facets of Socio-Technical Change, ECIS 2018
Volume0
Issue number0
Publication statusPublished - 1 Jan 2018

Fingerprint

Dive into the research topics of 'A comparison of compliance with data privacy requirements in two countries'. Together they form a unique fingerprint.

Cite this