A comparison of compliance with data privacy requirements in two countries

Adéle Da Veiga, Ruthea Vorster, Fudong Li, Nathan Clarke, Steven Furnell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

613 Downloads (Pure)


In the United Kingdom (UK), the Data Protection Act (DPA) has been in force since 1998, whereas South African (SA) organisations are preparing for compliance with the Protection of Personal Information Act (POPIA). The objective of this research is to compare aspects of data protection compliance between the UK and SA to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in an online context compared to a country that is preparing for compliance, using the results to make recommendations for non-compliance aspects. To fulfil the research objective, an insurance industry multi-case study was conducted. Similar data privacy requirements from the DPA and POPIA were selected for the multi-case study and as such, consent for direct marketing, secure processing of personal information (PI), privacy policies and sharing of PI collected via websites were evaluated. For each country, PI of four created consumer profiles was deposited to 10 insurance company websites in each country to evaluate the requirements. The results showed that some of the websites did not honor the selected opt-out preferences as direct marketing material was sent to the SA and UK consumer profiles. Forty two unsolicited third party contacts were received by the SA consumer profiles indicating unconsented distribution of PI in SA. In comparison, no unsolicited contacts were received by any of the UK profiles. The results demonstrate that the UK, being regarded as a jurisdiction with a heavy stance towards privacy implementation and regulation, is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study. SA insurance organisations should ensure that the noncompliance aspects are addressed and can learn from the manner in which the UK insurance organisations implement the privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking to aid with compliance to the DPA and upcoming General Data Protection Act.

Original languageEnglish
Title of host publicationProceedings of ECIS 2018
PublisherUniversity of Portsmouth
ISBN (Electronic)9781861376671
Publication statusPublished - 28 Jun 2018
EventECIS 2018: 26th European Conference on Information Systems: Beyond Digitization - Facets of Socio-Technical Change - University of Portsmouth, Portsmouth, United Kingdom
Duration: 23 Jun 201828 Jun 2018


ConferenceECIS 2018: 26th European Conference on Information Systems
Abbreviated titleECIS 2018
Country/TerritoryUnited Kingdom


  • Compliance
  • Consumer
  • Data Protection Act
  • Direct marketing
  • DPA
  • GDPR
  • General Data Protection Regulation
  • Legal
  • Opt-in
  • Opt-out
  • Personal information
  • Privacy
  • Protection of Personal Information Act


Dive into the research topics of 'A comparison of compliance with data privacy requirements in two countries'. Together they form a unique fingerprint.

Cite this