How Data Protection and Privacy law will affect companies

“50 million people, 23 million consumers. We have their details. We are direct marketing experts. We specialise in end-to-end lead generation campaigns, database management and Business or Consumer marketing list rentals. Our comprehensive data solutions provide you with the information needed to cut waste; grow revenue and market your business cost effectively.”
That is the introduction to Affinity Data, a direct marketing company based in South Africa, and only one of the many data brokers on the continent.
Database360, a data broker, advertises as a data supplier of contact information including numbers and email addresses of people in various African countries including Uganda.
These companies have your information!
Data brokers sell information to different buyers for multiple reasons including targeted marketing, development of programmes and surveys among others.
Your information when sold can also be used for dubious reasons some of which could create discrimination, background checks or could lead to denying you services.
Technology giants such as Google and Facebook have faced the wrath of European courts following the violation of the public’s privacy causing arraignment on various grounds in different countries.
Several cases have been brought to court prominently under the European General data protection regulation.

Data privacy law comes to life
Uganda got her own data protection law after President Museveni assented to the data protection and privacy bill in February this year, enshrining it into the country’s laws.
At a breakfast meeting organised by Marsh Insurance brokers, Ms Angella Tugume, National Information Technology Authority risk analyst, revealed that regulations operationalising the law will be released in December.
“The regulations will be out soon in December and NITA is the implementing authority meaning we shall be the people responsible for compliance,” she says.
The Act seeks to protect personal data by emphasing consent to access information from the public, coupled with strong risk mitigation mechanisms.
The law also mentions setting up of a data protection office which will be responsible for implementing and enforcing compliance by organisations.

Which companies will be affected?
Enacting of Uganda’s DPPA also opens doors for legal action against corporations that will be in violation of the law.
Data brokers who have been selling information for a profit to a willing buyer stand to be affected the most.
Digital marketers who have been using personal information to create personalised adverts will also be majorly affected.
Companies will now have to spend more on security and upgrades as required by the law to extinguish any potential data breach.
Unlawful obtaining of data by an individual warrants Shs480,000 fine or ten years in prison.
For corporations committing any offence in the law, the court is at liberty to issue in addition to a punishment, a fine not exceeding 2 per cent of its annual gross turnover.
To safeguard their customers, Marsh insurance brokers had the rationale for convening multi sectoral players whose domain lies in acquisition of information.
According to Mr Peter Links, Strategic Risk consulting at Marsh, technology based companies are the most susceptible to data breaches because of the increasing number of cybercrimes.
“64 per cent of companies’ behaviour changes only after they have been hacked, which is too late. Uganda in terms of your DPPA, you are now liable and exposed because you have potential litigation coming,” he warns.
Reports have illuminated tactics used by tech giants to acquire and make a killing off the sale of personal information especially for personalised advertisements.
In what the New York Times described as one of the biggest data leaks in social network history, over 50m Facebook users’ private information was accessed without their consent by Cambridge Analytica, a profiling company which was used in guiding President Trump’s campaign.
Facebook went under fire by not only the court of public opinion but was also slapped with a $5b fine for the breach of privacy.
Whereas no Ugandan company has been pinned on the sale of personal information, Africa cyber security report 2017 cites various cybercrimes committed in the country such as hacking of Makerere University and Centenary Bank.
The crimes led to violation of data privacy and distortion of information.
The report also places governments, telecommunication operators, banks and financial services as the biggest victims of cybercriminal activity.

Interoperability in data protection
DPPA comes at a time when Bank of Uganda is also lobbying for the approval of the National Payments System Bill which seeks to have interoperability between players in the financial sector.
The Bill will allow and promote partnerships between telecoms, banks, merchants or vendors and aggregators in the financial space.
However, third parties such as vendors, application developers among others have been castigated for being one of the major causes of attacks to corporations.

Case study
Explaining how Stanbic Bank handles its own security without neglecting third parties, Mr Hebert Olowo, head Information Technology, Stanbic Bank says third parties are involved in every stage of a development.
“The third parties are there and we cannot run away with dealing with them, so we engage with them. We extend the security measures and we see what they are doing to ensure security is tight,” he says adding; “We have taken it a step further.”
The bank incorporates cross-functional teams when delivering a feature.
This means that the bank’s personnel works hand in hand in each development stage of a new feature, while ensuring security is enforced.
Third parties are rendered relevant in these stages too.
“By the end of the assessments, we make sure that we have built a platform that is fairly secure,” he says emphasising that security is a continuous exercise.
Mr Olowo does not shy away from his fear of the fast paced change and adoption rate of the public to digitisation.
Moving from a padlock and security guard to cyber security, the bank has had to quickly innovate ways of combating security attacks.
Internally, it runs by five key strategies which include prevention, protect, detect, respond and recovery.
“We have very specific practices and exercise that we constantly monitor and report on. We have tools and mechanisms to guide for instance the data we have, training across the organisation,” he says adding that the bank has governance and a holistic view of risk.
The need to quickly innovate and out compete other financial service providers including fintechs creates a peril environment for personal information.

Online security
Data obtained from Project Frontline 2018, a cyber security report based on 121 assessed organisations in 2016 and 2017 by Summit Consulting Limited shows there is a general poor state of security hygiene in the country.
Findings indicate that it was possible to exploit internal critical production systems with one or more exploits at 68 per cent in all assessments.
Exfiltration of data was achieved at 92 per cent of the time. It was easy to acquire credentials in at least 92 per cent of the cases using common credential exposure methods. It was possible to gain full control of the target organisation’s infrastructure at 94 per cent of the time.
Uganda was ranked 7th most targeted country in Africa and 65th globally by 2018 global cyber security index.
Essentially, the index illustrates the need for the country to beef up its cyber security.
Companies will have to fork out more money to safeguard users’ information.
Flutterwave, a payments platform technology startup based in America’s Silicon Valley, as part of its human resources employed an ethical hacker to shield from cyber-attacks.
The tall and lean Mr Nielsimms Sangho, country lead Flutterwave Incorporation, amused the audience at the breakfast meeting after revealing his occupation as an ethical hacker, paid to attack the startups system.
He explained that he is paid to identify and block any cyber security threats in a company’s system to ensure they are not infiltrated by criminal hackers.
The estimated annual cost of cybercrime to the global economy is $445b and estimated to reach $2.1 trillion at the end of 2019.
A stack $4m is the total cost of a data breach globally.
Africa cyber security report 2017 breaks down the cost of cyber-attacks into the direct and indirect.
$647m is spent on the indirect costs of cyber-attacks which entail technical controls, security consulting firms, loss of trust in electronic services, training as well as insurance.
$431m is dedicated to compensating victims of data breaches, money withdrawn from victim accounts and investigation costs.

Data Protection

Human resource: The biggest weak link

All efforts to tame cyber-attacks are futile without trained personnel. Other cyber-attacks stem from the skills and knowledge gap as well as the lax attitude of the corporations’ employees towards cyber skills.
Ms Irene Kaggwa from Uganda Communications Commission queried; “Even when people are told not to use common passwords, or the same passwords across different platforms, you still find that they do the same thing.”
Mr Links advised corporations to take advantage of cyber insurance whose premiums are currently still affordable to avoid any litigation stemming from breach of private data.
Private sector against govt

Police during the engagement raised frustration brewed from telecom companies which have incessantly denied the authority access to telephone records which they say are needed for investigations. Responding to police, Ms Kaggwa says the law gives the telecom operators power to govern access to information but a middle ground needs to be found.
“How do we facilitate security to make sure we have a secure government and a secure nation without abusing data,” she says referring the public to Ministry of Security.

Online security
Project Frontline report reveals the extent of the impact of ongoing cybercrime on internet users ranges from disclosing confidential or private information, to making unauthorised modifications to data and making important company systems unavailable for use.
Companies and individuals are responsible for their online security. It takes a combination of complicated passwords, clicking only genuine emails, using safe internet spots and more.