Skip to content
Back to outputs

A comparison of compliance with data privacy requirements in two countries

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Standard

A comparison of compliance with data privacy requirements in two countries. / Da Veiga, Adéle; Vorster, Ruthea; Li, Fudong; Clarke, Nathan; Furnell, Steven.

Proceedings of ECIS 2018. University of Portsmouth, 2018.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Da Veiga, A, Vorster, R, Li, F, Clarke, N & Furnell, S 2018, A comparison of compliance with data privacy requirements in two countries. in Proceedings of ECIS 2018. University of Portsmouth, 26th European Conference on Information Systems, Portsmouth, United Kingdom, 23/06/18. <http://ecis2018.eu/published-ecis-2018-papers/>

APA

Da Veiga, A., Vorster, R., Li, F., Clarke, N., & Furnell, S. (2018). A comparison of compliance with data privacy requirements in two countries. In Proceedings of ECIS 2018 University of Portsmouth. http://ecis2018.eu/published-ecis-2018-papers/

Vancouver

Da Veiga A, Vorster R, Li F, Clarke N, Furnell S. A comparison of compliance with data privacy requirements in two countries. In Proceedings of ECIS 2018. University of Portsmouth. 2018

Author

Da Veiga, Adéle ; Vorster, Ruthea ; Li, Fudong ; Clarke, Nathan ; Furnell, Steven. / A comparison of compliance with data privacy requirements in two countries. Proceedings of ECIS 2018. University of Portsmouth, 2018.

Bibtex

@inproceedings{4d4793b45c62475bb9b4801e93639944,
title = "A comparison of compliance with data privacy requirements in two countries",
abstract = "In the United Kingdom (UK), the Data Protection Act (DPA) has been in force since 1998, whereas South African (SA) organisations are preparing for compliance with the Protection of Personal Information Act (POPIA). The objective of this research is to compare aspects of data protection compliance between the UK and SA to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in an online context compared to a country that is preparing for compliance, using the results to make recommendations for non-compliance aspects. To fulfil the research objective, an insurance industry multi-case study was conducted. Similar data privacy requirements from the DPA and POPIA were selected for the multi-case study and as such, consent for direct marketing, secure processing of personal information (PI), privacy policies and sharing of PI collected via websites were evaluated. For each country, PI of four created consumer profiles was deposited to 10 insurance company websites in each country to evaluate the requirements. The results showed that some of the websites did not honor the selected opt-out preferences as direct marketing material was sent to the SA and UK consumer profiles. Forty two unsolicited third party contacts were received by the SA consumer profiles indicating unconsented distribution of PI in SA. In comparison, no unsolicited contacts were received by any of the UK profiles. The results demonstrate that the UK, being regarded as a jurisdiction with a heavy stance towards privacy implementation and regulation, is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study. SA insurance organisations should ensure that the noncompliance aspects are addressed and can learn from the manner in which the UK insurance organisations implement the privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking to aid with compliance to the DPA and upcoming General Data Protection Act.",
keywords = "Compliance, Consumer, Data Protection Act, Direct marketing, DPA, GDPR, General Data Protection Regulation, Legal, Opt-in, Opt-out, Personal information, POPIA, Privacy, Protection of Personal Information Act",
author = "{Da Veiga}, Ad{\'e}le and Ruthea Vorster and Fudong Li and Nathan Clarke and Steven Furnell",
year = "2018",
month = jun,
day = "28",
language = "English",
booktitle = "Proceedings of ECIS 2018",
publisher = "University of Portsmouth",
note = "26th European Conference on Information Systems, ECIS 2018 ; Conference date: 23-06-2018 Through 28-06-2018",

}

RIS

TY - GEN

T1 - A comparison of compliance with data privacy requirements in two countries

AU - Da Veiga, Adéle

AU - Vorster, Ruthea

AU - Li, Fudong

AU - Clarke, Nathan

AU - Furnell, Steven

PY - 2018/6/28

Y1 - 2018/6/28

N2 - In the United Kingdom (UK), the Data Protection Act (DPA) has been in force since 1998, whereas South African (SA) organisations are preparing for compliance with the Protection of Personal Information Act (POPIA). The objective of this research is to compare aspects of data protection compliance between the UK and SA to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in an online context compared to a country that is preparing for compliance, using the results to make recommendations for non-compliance aspects. To fulfil the research objective, an insurance industry multi-case study was conducted. Similar data privacy requirements from the DPA and POPIA were selected for the multi-case study and as such, consent for direct marketing, secure processing of personal information (PI), privacy policies and sharing of PI collected via websites were evaluated. For each country, PI of four created consumer profiles was deposited to 10 insurance company websites in each country to evaluate the requirements. The results showed that some of the websites did not honor the selected opt-out preferences as direct marketing material was sent to the SA and UK consumer profiles. Forty two unsolicited third party contacts were received by the SA consumer profiles indicating unconsented distribution of PI in SA. In comparison, no unsolicited contacts were received by any of the UK profiles. The results demonstrate that the UK, being regarded as a jurisdiction with a heavy stance towards privacy implementation and regulation, is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study. SA insurance organisations should ensure that the noncompliance aspects are addressed and can learn from the manner in which the UK insurance organisations implement the privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking to aid with compliance to the DPA and upcoming General Data Protection Act.

AB - In the United Kingdom (UK), the Data Protection Act (DPA) has been in force since 1998, whereas South African (SA) organisations are preparing for compliance with the Protection of Personal Information Act (POPIA). The objective of this research is to compare aspects of data protection compliance between the UK and SA to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in an online context compared to a country that is preparing for compliance, using the results to make recommendations for non-compliance aspects. To fulfil the research objective, an insurance industry multi-case study was conducted. Similar data privacy requirements from the DPA and POPIA were selected for the multi-case study and as such, consent for direct marketing, secure processing of personal information (PI), privacy policies and sharing of PI collected via websites were evaluated. For each country, PI of four created consumer profiles was deposited to 10 insurance company websites in each country to evaluate the requirements. The results showed that some of the websites did not honor the selected opt-out preferences as direct marketing material was sent to the SA and UK consumer profiles. Forty two unsolicited third party contacts were received by the SA consumer profiles indicating unconsented distribution of PI in SA. In comparison, no unsolicited contacts were received by any of the UK profiles. The results demonstrate that the UK, being regarded as a jurisdiction with a heavy stance towards privacy implementation and regulation, is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study. SA insurance organisations should ensure that the noncompliance aspects are addressed and can learn from the manner in which the UK insurance organisations implement the privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking to aid with compliance to the DPA and upcoming General Data Protection Act.

KW - Compliance

KW - Consumer

KW - Data Protection Act

KW - Direct marketing

KW - DPA

KW - GDPR

KW - General Data Protection Regulation

KW - Legal

KW - Opt-in

KW - Opt-out

KW - Personal information

KW - POPIA

KW - Privacy

KW - Protection of Personal Information Act

UR - http://www.scopus.com/inward/record.url?scp=85061306122&partnerID=8YFLogxK

UR - http://ecis2018.eu/about/contact-us/

M3 - Conference contribution

AN - SCOPUS:85061306122

BT - Proceedings of ECIS 2018

PB - University of Portsmouth

T2 - 26th European Conference on Information Systems

Y2 - 23 June 2018 through 28 June 2018

ER -

ID: 13177437