Data like oil is a vital tool in maintaining growth of firms, industries and companies. Companies want to get a hold of information detailing what their customers and competitors are discussing about them, so that the business may be improved through feedback.  However what standard of care must one who is able to ascertain the personal information of a natural or juristic person take in the collection, use and protection of this data. Most social media companies by design of their business model harvest data and often sell it to advertisers.

Keeping information confidential requires that a company such as Facebook, SnapChat, Wechat, Twitter and companies that offer similar products examine reasonably foreseeable internal and external risks to a customer’s personal infomation.  They assume a position of trust or responsibility including decision-making powers relating to how data is stored or sold.  Also, it has become their fiduciary duty to implement the necessary security measures to protect personal information stored and to uphold an individual’s constitutional rights to privacy which includes, the right not to have “the privacy of their communications infringed upon”.

In the context of the South African Protection of Personal Information Act, No 4 of 2013 (“POPIA”) Act, ‘companies are expected to handle, store and secure personal information or face substantial penalties’.  The Act restricts how social media and other tech companies collect, store, and use personal data.  Furthermore, the Act provides that users personal details must be treated in a prescribed and respectful manner.  This means that tech companies must maintain data within an explicitly-defined and lawful purposes, related to a function or activity of the business within its website.  POPIA also has a breach notification requirement, which states “that companies that store data are expected to notify users as soon as reasonably possible” about the breach.  POPIA further provides imprisonment for individual persons who commit criminal acts with personal information.   This provides for a requirement for notification and possibility of imprisonment where exist a breach in use of personal information.

In a major cybersecurity breach, it’s very important to understand the fiduciary duties owed to you by a tech or social media company who stored your data and what aspects of your privacy you gave away. The POPIA Act cannot protect you, if you do not take care to protect your data. Hence why companies and individuals who make use of digital tools should no longer assume that technology alone will protect them from breach but having a composite data policy will define that breach. A composite data policy which will provide the single consolidated place that maps out the ways, in which it uses data and processes people’s personal information. Importantly layouts expected fiduciary duties owed to them by tech platforms.