Data privacy governance framework for the internet of things in South African organisations

Abstract

In today’s world, lived experiences and other social aspects of society have been influenced exponentially by digitalisation and technological advances such as the Internet of Things (IoT). The benefits of IoT have been widely documented and are evident in various application domains such as manufacturing, smart homes and healthcare (particularly during the COVID-19 pandemic). The adoption of connected devices has given rise to the collection and processing of sensitive personal data of users. Consumers of smart devices are enticed to acquire more products and services that provide convenient, automated and immersive experiences. Despite the plethora of benefits and the growing global interest in the application of IoT, the susceptibility of connected devices to malicious attacks amplifies the risks to data privacy. Predictions have been made of the number of IoT devices reaching 50 billion by the year 2030. A direct correlation has been made between the increased number of devices and the upsurge in cyber-attacks and data breaches worldwide. In South Africa well-known organisations and state owned enterprises (SOEs) have fallen prey to the nefarious actions of threat actors. Noteworthy breaches include Liberty Holdings in 2018, Experian in 2020, and more recently Transnet, South African National Space Agency (SANSA) and the Department of Justice and Constitutional Development (DOJ&CD) in 2021. The Protection of Personal Information (POPI) Act came into effect in July 2021, following an eight-year delay. The continuous postponement of the Act has hampered the protection of South Africans data privacy as demonstrated by more regular occurrences of data breaches in recent years. Several countries have attempted to address privacy concerns through the enactment of data privacy laws necessitated by the proliferation of technological advances that aid the aggressive collection and indiscriminate use of personal data. Despite these regulatory updates, the intricacies of data management and the dynamic nature of the governance of data privacy in IoT environments has prompted scholars to indicate the need for a holistic data privacy governance framework. Therefore, this study aimed to explore the factors affecting the governance of data privacy regulation and compliance in connected environments, with a view to develop a framework of guidelines and best practices for governing data privacy in IoT environments in South Africa.

This research employed a qualitative multiple-case study of IoT-based organisations in South Africa. This study used non-probability, purposive sampling of a homogeneous dimension to select organisations and participants. In addition, semi-structured interviews of IoT-based organisations in South Africa and a document review of various countries with recently updated data protection regulation were incorporated. The responses were analysed using thematic analysis for the identification of categories and emergent themes. The findings indicate that there are several factors that influence data privacy governance. The upsurge in data breaches is a cause of concern for many organisations. There was consensus that the human factor (individuals and their actions) posed the biggest challenge in terms of the protection of data privacy. Additionally, unsecured devices and networks leave organisations vulnerable to possible attacks. Thus, securing smart devices and educating people on security measures can be seen as integral to curbing security violations, ensuring network integrity and ultimately protecting data privacy. Furthermore, this study identified and explored four key areas of consideration for data privacy governance in IoT environments in South Africa, namely data privacy, data security, data governance and compliance. This study’s exposition on data privacy pertained to the establishment of guidelines on data management in regard to compliance, people and technology in relation to IoT environments. Data security explored the ways to mitigate and manage data security risks through the adaptation and implementation of standards, protocols and measures designed specifically for IoT environments. The aspect of data governance expounded on the implementation of relevant strategies and policies to govern facets of data privacy in IoT-based organisations. Finally, the concept of compliance provided deep insights in relation to the role of legislation, organisational processes and practices in the industry sector and the effects on data privacy governance in IoT-environments in South Africa. Based on the identified key areas of the study, a proposed framework for data privacy governance in IoT environments in South Africa was developed. Thus, IoT-based organisations in South Africa can draw on the guidelines in the proposed framework to inform and assist in the management of data privacy governance in accordance with regulatory compliance.