Technology continues to be one of the key drivers of the current global economy. The integration of smartphones and our ever-increasing appetite for greater internet speed and data demands has seen a significant rise in the development of new digital marketing and social media platforms, job tools, project software, and numerous other applications.
With greater demands, more services, and increased opportunities to generate ad revenue, we’ve also seen a greater push for the protection of consumers’ personal details and identity information after several major identity breaches during the previous decade.
Think about the devastating impact of the Equifax Data Breach (2017), the Marriott International Data Breach (2018), and the National Public Data (NPD) / Jerico Pictures (2024), all of which have had catastrophic consequences for consumers.
It hardly comes as a surprise that many global trade organisations and relations started laying down the law and placing great emphasis on governments to protect their consumers and to fight these cyber crimes.
BRINGING IT CLOSER TO HOME
In South Africa, the Protection of Personal Information Act (POPI), our local data privacy law, came into effect on 01 July 2020 and aims to protect personal information handled by public and private bodies.
The Act sets out the conditions for the lawful processing of personal information, ensuring compliance with the constitutional right to privacy. The act made provisions for a one-year grace period for all involved to comply.
Given the act and its requirements, it comes as no surprise that we have noticed a heightened awareness and a greater push from local authorities concerning the protection of data privacy.
A recent publication, Information Regulator chair, Advocate Pansy Tlakula, mentioned, during a 702 radio interview, that many estates, gated communities, and office parks infringe on South Africans’ privacy rights by collecting too much personal information from drivers.
Further to this, the City of Johannesburg introduced a CCTV camera by-law to regulate the access and sharing of privately owned CCTV footage. While initially hailed as a step in the right direction to fight crime and to improve the current security and surveillance of the city, it quickly escalated into a fight between the city of Johannesburg and residents, as many feel the city is exceeding its mandate.
These are just some of the current overtones of a greater awareness and sensitivity by local authorities to ensure the personal identity and information of South Africans are appropriately protected.
But what does this mean for any current private property estate?
PREVENTION IS MOST CERTAINLY BETTER THAN CURE!
The increased awareness from local councils and the broader shift towards stronger personal information protection means that private property estates have to ensure they protect the identity information of their visitors, regardless of the source (be it access logs, booking details, or other interactions).
We have compiled 5 critical pointers for a private estate to ensure the protection of visitor identity information:
1. Conduct a Comprehensive Information Audit and Mapping:
- Action: Before anything else, understand what personal identity information is being collected (e.g., names, ID numbers, vehicle registration, contact details, reason for visit), why it’s collected, where it’s stored (physical registers, digital databases, cloud services), how it’s processed, and who has access to it. Create a clear map of all data flows.
- Benefit: This foundational step allows the estate to identify all touchpoints where personal information is handled, pinpoint potential vulnerabilities, and ensure that only necessary information is collected for legitimate purposes (data minimization).
2. Ensure Lawful Basis for Processing and Obtain Explicit Consent (where necessary):
- Action: For every piece of personal identity information collected, establish a lawful basis for its processing as per POPIA. This could be a contractual necessity (e.g., for booking a stay), a legal obligation (e.g., for security purposes mandated by law), or legitimate interest (e.g., managing access for safety). If no other lawful basis applies, or for sensitive information, obtain explicit, informed consent from the visitor, clearly explaining the purpose of collection and their rights.
- Benefit: Guarantees compliance with POPIA by ensuring that all data collection is justified and transparent, empowering individuals with control over their information.
3. Implement Robust Data Security Measures (Technical & Organisational):
- Action: Protect all collected identity information from unauthorized access, loss, or disclosure.
This includes:
- Technical: Encryption for digital data, strong password policies, firewalls, regular software updates, secure backups, and anonymisation/pseudonymisation where possible.
- Organisational: Restrict physical access to data storage areas, use secure filing systems, implement “clean desk” policies, and ensure proper disposal of physical documents (shredding).
- Technical: Encryption for digital data, strong password policies, firewalls, regular software updates, secure backups, and anonymisation/pseudonymisation where possible.
- Benefit: Minimizes the risk of data breaches, theft, or accidental exposure of sensitive visitor identities, building trust and safeguarding the estate’s reputation.
4. Establish Clear Data Retention Schedules and Secure Disposal Protocols:
- Action: Define strict retention periods for all collected identity information based on its purpose and legal requirements. For example, access log details might be kept for a specific period for security incident investigation, while booking details are kept as long as legally required for financial records. Once the purpose is fulfilled and the retention period expires, implement secure and verifiable methods for data destruction (e.g., certified data wiping for digital, cross-shredding for physical).
- Benefit: Prevents the unnecessary accumulation of personal data, reducing the “attack surface” for potential breaches and ensuring compliance with POPIA’s data minimization and retention principles
5. Develop and Practice a Data Breach Response Plan:
- Action: Create a clear, actionable plan for what to do in the event of a suspected or actual data breach involving visitor identity information.
This plan should include:
- Identification and containment of the breach.
- Assessment of the risk to affected individuals.
- Notification procedures for the Information Regulator (if required by POPIA) and affected data subjects.
- Post-breach review and implementation of preventative measures.
- Regular testing/drills of the plan.
- Benefit: Allows for a swift and effective response to minimize harm in the event of a breach, demonstrating responsibility and potentially mitigating penalties and reputational damage
CLOSING REMARKS
There seems to be a growing tension between what high-value estates and upmarket developments view as standard security protocols, and when those procedures infringe on a person’s right to privacy. Individual identity and personal details have to be protected at all costs.
With cybercrime, human trafficking, and other violent criminal acts on the rise, it comes as no surprise that these institutions are doing their best to protect their inhabitants. That’s why residents are happy to pay a premium to live there.
However, it also remains critically important that, during the execution of these security actions, people’s personal information is protected and managed correctly under current legislation. Private property estates simply have to strike a healthy balance between maintaining security, law and order, while protecting personal rights and personal details.
This entire management system must be regularly assessed and reviewed, preferably by a third party, to ensure that the estate and its owners and shareholders stay on the right side of the law.
Residents can also play a significant role by being part of the security solutions and making sure all visitors, friends, family, and external service providers are aware of the estate’s security requirements. This cultivates a spirit of openness and transparency.