In 2023, global smart glasses shipments increased by 210% year-on-year, and ABI Research has predicted that shipments will grow from 5.9 million in 2024 to 114.1 million by 2030.

The technology is moving faster than awareness, regulation or governance, and South Africa is sitting closer to the edge of privacy and regulatory controversy than most people realise.

This controversy has already affected East Africa. In early 2026, Kenyan and Ghanaian authorities identified Vladislav Luilkov as the Russian vlogger who travelled through Kenya and Ghana wearing the Ray-Ban Meta smart glasses, recording intimate encounters with women without their knowledge and posting the footage online for profit. In the UK, a BBC investigation documented how a woman was covertly filmed at a beach, with the footage receiving around one million views online.

By May 2026, a second victim was also reported by the BBC. She was told that the footage would only be removed as a paid service, which was effectively extortion.

Smart glasses with inconspicuous cameras extend patterns already seen with smartphones – they make it easier to capture and distribute images or video of women in public and private spaces without their knowledge, in a society where harassment, exploitation, and violations of privacy remain widespread.

Wearers can potentially discover a person’s identity, address, and other personal details and share these, along with video footage, with anyone they want, on any platform they want, and this creates significant security and privacy risks.

Two Harvard students recently showed how the footage streamed through these glasses could be linked to external AI facial recognition tools allowing strangers to be identified in real time with names, home addresses and personal information pulled from the internet.

Smart glasses are also an Internet of Things (IoT) device with connected hardware running software that can be targeted in the same way any connected device can.

Research by ESET has found that specific attack vectors such as unpatched firmware vulnerabilities, compromised companion apps, and malicious Wi-Fi hotspots are gaining in momentum and capability.

These threats can compromise the glasses or the device they are paired with, and the attacker gains access to everything the wearer sees.

South Africa has begun to adapt its legal framework to digital abuse, including the Cybercrimes Act, the Protection from Harassment Act, the Domestic Violence Amendment Act, and the Film and Publications Act. These all apply to online harassment, harmful content and image-based abuse. Smart glasses are already changing the boundaries of privacy.

These devices represent high-risk AI systems that capture biometric data in public spaces without meaningful consent mechanisms, process footage through offshore contractors beyond South African data protection oversight, and directly challenge POPIA’s consent framework, designed before invisible, wearable surveillance became normalised.

Under POPIA, biometric information is categorised as ‘special personal information’ with processing generally prohibited unless authorised.

South Africa has both the constitutional foundation and the legislative architecture through POPIA to lead African wearable AI governance.

The country, as Africa’s most technologically advanced economy with BRICS ties and a mature data-protection framework, is uniquely positioned to do for African wearable regulation what the GDPR did for Europe and establish a high-water mark that neighbouring jurisdictions can copy. And now is the time to get it right.

As enterprises strive to become increasingly data-driven in their decision-making, strategy development, and operational processes, the value of trusted data is growing exponentially.

Advancements in Graphics Processing Unit (GPU) technology are unlocking the full potential of Artificial Intelligence (AI), the key enabler that allows businesses to rapidly extract actionable insights from massive, complex datasets that would be impossible to process manually.

Today, AI applications are being used to build predictive and comparative models, conduct scenario planning and simulations, monitor operations and optimise efficiency, and drive strategic implementation and innovation.

However, as reliance on data grows, so does the risk. When sensitive data is exposed, whether in the public or private sector, the consequences can be severe.

This risk is amplified by the shift from on-premise infrastructure to cloud-based data storage and processing.

Up against global players

Most major cloud providers operate globally to achieve scale, but this raises a critical question: Does that model still serve local business interests?

Take South Africa, for example. Local companies are no longer competing solely within national borders; they are up against global players.

Many South African businesses depend on cloud-based Enterprise Resource Planning (ERP) and Customer Relationship Management, (CRM) Software-as-a-Service (SaaS) and Digital Platform offerings that are, in many cases, hosted on global cloud providers’ platforms.

With Digital Platforms it is not always clear to the customer where the data is being stored in a global cloud.

Most businesses store some form of intellectual property within their datasets that could be exploited should a competitor gain unauthorised access to it. It would be naïve to not consider this a serious threat.

For governments and other highly regulated industries, the risks are even more pronounced. With increasing geopolitical tensions and sanctions, judicial and operational control over cloud infrastructure becomes a strategic vulnerability.

As an example, if a cloud is hosted in the United States (US), and diplomatic relations sour, access to that data could be cut off. Suddenly, a government may find itself locked out of its own digital assets.

This is why data localisation and sovereignty have become urgent priorities. Governments are enacting compliance laws that require certain categories of data to remain within national borders.

In South Africa, such regulations issued by the Financial Services Conduct Authority (FSCA) have been in place since May last year, mandating that sensitive data be stored locally.

Closing the loopholes

Until recently, regulations like the Protection of Personal Information Act (POPIA) lacked accountability, and many companies exploited loopholes such as offshoring workloads to Europe, where cloud services are scaled on a more economic business model, including more availability for scaling.

But this is changing with the introduction of additional regulations and compliance. For example, new financial sector regulations, such as the Financial Sector Regulation Act (FSRA), now mandate how data must be processed and stored by companies in that sector.

This move towards global financial-grade standards has triggered tighter controls with legal and regulatory consequences.

CIOs are becoming more aware and intentional regarding the requirements for rigorous auditing; transparency in tracking exactly where their data resides, how it moves and transforms, ensuring full visibility and compliance across testing, production and backup environments.

These developments are reshaping the cloud and digital platform landscape. Traditional public clouds, designed to leverage economies of scale by serving multiple sovereign markets from a single or regionally positioned location, are no longer viable for certain use cases.

Instead, we are seeing a shift in demand toward local provider-managed clouds that are tailored for specific workloads, industries and geographic locations, that are configured to meet sovereignty standards, or customer-managed clouds within their own data centre.

For individual enterprises, building and maintaining a sovereign cloud deployed in-country to meet local compliance and ownership requirements is often not their core business and is a complex endeavour.

Cost and complexity challenges

Global providers often struggle with this model due to the cost and complexity of deploying infrastructure in every market and region.

This opens the door for smaller, agile cloud providers who specialise in local sovereign deployments. They build infrastructure locally, tailored to the regulatory and operational requirements of each market.

This approach allows the end customer to retain some of the benefits of the cloud by avoiding operational infrastructure complexity and leveraging economies of scale of shared services to a point.

But they also gain the benefit of compliance, risk mitigation and trust through the commitment of a local sovereign cloud provider who demonstrates their commitment to data sovereignty and local jurisdiction.

CIOs and CEOs must now take a hands-on approach in specifying and auditing cloud solutions. It is not enough for a provider to claim local presence.

A service may appear local, but its backend might run from Europe or the US. Without transparency, sensitive data can quietly drift offshore.

Ultimately, this shift demands a steep learning curve, not just for leadership, but for networking teams and compliance officers. It is no longer just about POPIA but about full-spectrum data sovereignty.

As digital transformation accelerates across Africa and South Africa, cybersecurity has become a critical concern for governments, businesses, and individuals.

The growing adoption of new technologies and the evolving sophistication of cyber threats necessitate proactive and future-proof security measures.

Below, we explore key cybersecurity trends for 2025, highlighting their impact on businesses in Africa, along with notable examples of cybersecurity adoption and the challenges faced by businesses in the continent, including how these trends affect specific sectors.

1. Rise of ransomware and digital extortion

Ransomware attacks are on the rise across Africa, with cybercriminals increasingly targeting businesses, government institutions, and critical infrastructure.

These attacks often demand large ransoms to restore access to critical data, and in some cases, attackers may also steal data and threaten to leak it.

Sectors such as healthcare, finance, utilities, and manufacturing are high-value targets for these types of attacks.

Safaricom in Kenya, one of the largest telecom operators, has implemented advanced AI-driven cybersecurity measures to protect its mobile money platform, M-Pesa, which serves millions of users.

These measures help safeguard financial transactions from ransomware and other cyber threats. Similarly, in South Africa, Eskom, the country’s largest energy supplier, has invested in robust cybersecurity strategies to protect its critical infrastructure from ransomware attacks and other forms of cyber extortion.

As these threats evolve, businesses must invest in resilient cybersecurity infrastructure, disaster recovery plans, and rapid incident response strategies to mitigate the impact of these increasingly sophisticated attacks.

2. AI-driven cybersecurity

Artificial intelligence (AI) will play a critical role in shaping cybersecurity for 2025. While AI enhances threat detection, vulnerability identification, and automated responses, it also presents a challenge as cybercriminals use the same technologies to create more sophisticated attacks.

AI-driven phishing, deepfake fraud, and social engineering tactics are expected to become increasingly difficult to detect, leading to more significant data breaches and fraud incidents.

In South Africa, organisations such as Standard Bank are already leveraging AI-powered threat detection systems to safeguard their digital banking services. These systems are designed to detect abnormal behaviour and prevent attacks before they can cause harm.

In Africa, the rise of AI-driven attacks, including deepfakes and automated phishing, will require businesses to adopt AI-powered security tools to stay ahead of the evolving threat landscape.

In the public sector, AI is used to enhance threat detection and response capabilities. For example, South Africa’s government is investing in AI systems to improve the resilience of public services against cyber threats. As digital transformation continues, these systems are crucial for detecting and mitigating attacks swiftly.

Similarly, AI will help optimise infrastructure development and urban planning in Africa, making it imperative for governments to prioritise AI-driven cybersecurity tools to protect sensitive data.

3. Zero Trust security models: trust no one, verify everything

With the rise of remote and hybrid work environments across Africa, the Zero Trust security model, where access requests are continuously verified, will gain more prominence in 2025. Zero Trust ensures that no user or device is trusted by default, and each access request is verified based on user identity, device health, and access permissions.

For example, the South African Revenue Service (SARS) has adopted a Zero Trust architecture to protect sensitive taxpayer information.

This approach ensures that every request to access or process data is verified, reducing the risk of internal and external breaches. Similarly, as businesses face increasing cybersecurity challenges, adopting Zero Trust will become essential to securing their networks and data.

In the retail sector, AI-driven Zero Trust security models will be essential in protecting sensitive customer information from cybercriminals.

As e-commerce platforms continue to grow, companies will need to ensure that each user, transaction, and device is thoroughly verified to safeguard data.

In financial services, Zero Trust will become critical for preventing fraud, ensuring that only trusted devices and users are allowed access to financial services and sensitive customer data.

4. Quantum-resistant cryptography

As quantum computing evolves, it presents a potential risk to traditional encryption methods. Many businesses, particularly those in sectors like finance and healthcare, rely on cryptography to protect sensitive personal and financial data.

The development of quantum-resistant encryption methods will become increasingly important as businesses look to future-proof their security strategies.

Forward-thinking organisations will need to begin preparing for the transition to quantum-safe algorithms to safeguard their data long after quantum computing becomes mainstream.

This is a critical step for industries handling highly sensitive information, such as banking, telecommunications, and healthcare.

The healthcare industry will be particularly affected by this trend. AI in diagnostics and patient care relies heavily on the security of sensitive health data.

Implementing quantum-resistant encryption will protect patient records and ensure that data remains secure even as quantum computing evolves. Similarly, manufacturing sectors focusing on industrial IoT and AI-driven supply chains will need to adopt quantum-resistant encryption to secure their operations.

5. Business Email Compromise (BEC) and phishing scams

Business Email Compromise (BEC) and phishing attacks remain significant threats. Cybercriminals use sophisticated tactics to impersonate trusted individuals, tricking employees into transferring funds or revealing sensitive information.

These scams are particularly prevalent in large organisations and government sectors, where communication and trust are pivotal.

In South Africa, a leading bank has implemented AI-driven cybersecurity measures to counter such attacks, ensuring that their financial transactions and sensitive customer data remain protected.

Across Africa, social media platforms are also becoming a popular vector for phishing campaigns, with cybercriminals using these platforms to distribute malicious links and steal personal information.

Businesses must continue to enhance their security posture to prevent these attacks and educate employees on how to recognise and avoid phishing scams.

In the financial services industry, BEC and phishing scams are a major concern, with cybercriminals attempting to steal sensitive customer data or manipulate employees into transferring funds.

The implementation of AI-driven fraud detection systems can help financial institutions protect their customers and prevent financial losses.

In retail, AI analytics will also be crucial for identifying fraudulent activities before they lead to significant financial damage.

6. Third-party risk management

The interconnectedness of today’s business ecosystem means that third-party vendors pose a significant risk to cybersecurity. Cybercriminals increasingly target the supply chain, and a breach in a third-party system can have devastating consequences for an organisation.

In 2025, businesses must focus on third-party risk management, ensuring that their vendors and partners meet stringent cybersecurity standards.

Kenya’s Safaricom and South Africa’s Standard Bank provide excellent examples of organisations that have prioritised third-party risk management.

Both companies work. For the mining sector, third-party risk management is crucial to prevent disruptions in operations, especially as mining companies adopt AI-driven remote monitoring and predictive maintenance systems.

Ensuring that third-party providers also meet stringent security standards will help avoid supply chain disruptions. In manufacturing, third-party risk management becomes essential for securing smart factory systems, especially as AI and IoT technologies become more integrated into production processes.

7. Human-Centric Security

Despite the growing sophistication of cybersecurity technologies, human error remains one of the biggest vulnerabilities in any security system.

As cyber threats become more advanced, organisations will focus more on human-centric security, emphasising employee training and awareness to mitigate risks such as phishing and weak password practices.

The shortage of skilled cybersecurity professionals in South Africa and other parts of Africa further exacerbates the challenge of securing organisations against human error.

To address this, companies must invest in continuous employee training, providing resources to help workers identify and avoid common social engineering tactics.

By fostering a culture of security, where every employee plays a role in protecting the organisation’s assets, businesses can significantly reduce their exposure to cybersecurity risks.

In the public sector, human-centric security will be critical to ensuring that government employees and contractors are well-trained to recognise and prevent phishing attacks, especially as AI-driven systems become more prevalent in public service delivery. Similarly, the healthcare sector will need to focus on training staff to securely handle patient data and protect against social engineering attacks, ensuring the privacy of health records remains intact.

8. Challenges in implementing cybersecurity measures

a. Limited resources: Many organisations across Africa face financial constraints, making it difficult for them to invest in advanced cybersecurity tools and hire qualified professionals. Smaller businesses, in particular, struggle to implement comprehensive security measures due to budget limitations.

b. Evolving threat landscape: Cybercriminals are continuously adapting their tactics, necessitating ongoing investment in updated security technologies and employee training. This rapid evolution of threats presents a significant challenge for businesses looking to stay one step ahead.

c. Regulatory compliance: As regulatory frameworks like the Protection of Personal Information Act (POPIA) in South Africa become more stringent, organisations must ensure compliance with evolving data protection laws. Navigating these complex requirements can be both resource-intensive and costly.

d. Skills gap: The shortage of qualified cybersecurity professionals remains one of the most significant barriers to effective cybersecurity implementation. Without enough skilled experts, organisations are vulnerable to cyberattacks.

Cybersecurity is an urgent concern for organisations across Africa as they face a rapidly evolving threat landscape.

From the rise of ransomware and digital extortion to the adoption of AI-driven security tools and Zero Trust models, businesses must remain proactive in securing their digital infrastructure. The integration of quantum-resistant cryptography and a focus on third-party risk management will also play a critical role in safeguarding data.

Despite the challenges—such as limited resources, a skills gap, and regulatory complexity—organisations can enhance their cybersecurity posture by leveraging advanced technologies, fostering a security-focused culture, and collaborating with trusted cybersecurity partners. By staying ahead of these emerging trends, businesses across Africa and South Africa can ensure they are not only secure but also resilient in the face of evolving cyber threats.

Despite the notable progress in mobile banking and fintech, the continent continues to face a significant financial inclusion gap, with over half the population remaining unbanked.

This paradox is particularly evident in South Africa, where a sophisticated financial sector coexists with deep inequality.

To bridge this divide, South African banks are leapfrogging legacy hurdles by embracing technologies like generative AI (GenAI), focusing on socioeconomic trends and using advanced tools to reshape customer interactions and underwriting processes.

Breaking down barriers to the unbanked

Despite the fact that a high percentage of South Africans have access to formal financial products, a significant portion of the population remains effectively unbanked due to distrust of financial institutions, particularly within the informal sector.

To appeal to this market, the Banking, Financial Services, and Insurance (BFSI) sector is pursuing digital strategies that build trust by offering more accessible financial solutions.

In leveraging conversational banking and prioritising customer experience, South African BFSI players can attract tech-savvy users while retaining traditional customers, ultimately driving greater financial inclusion across the country.

By integrating AI, South Africa’s BFSI sector can enhance customer experiences and operational agility, ultimately driving financial inclusion and sustainable growth in the digital age.

The role of Generative AI in digitising access

GenAI is playing a decisive role in transforming the BFSI sector in South Africa. Banks are now leveraging AI-powered chatbots to provide 24/7 customer support, answer frequently asked questions, and personalise customer interactions at every touchpoint.

This not only improves customer satisfaction but also frees up human agents to handle more complex inquiries.

Furthermore, AI is revolutionising credit scoring, especially for underserved populations. By analysing alternative data sources like mobile phone usage and utility payment history, AI can assess creditworthiness for individuals who may not have a traditional credit score.

This helps to expand financial inclusion by providing access to credit for those who were previously excluded.

First address risks associated with AI

While AI offers significant benefits, it is essential to address the risks associated with its use. Organisations must be cautious when partnering with cloud-enabled service providers.

These providers should prioritise data privacy and security by adhering to strict regulations like General Data Protection Regulation (GDPR) and Protection of Personal Information Act (POPIA).

They should also employ advanced encryption techniques to protect sensitive customer data. Transparency is key; providers must inform customers about data usage and offer options for data control.

By partnering with reputable providers who prioritise these factors, organisations can mitigate the risks associated with AI and ensure the ethical and responsible use of technology.

The rise of fintech and digital-first banks

To serve diverse customer segments, South African banks are implementing tailored digital strategies. For affluent customers, banks offer personalised financial services through advanced digital platforms, including wealth management tools and investment advisory services.

For underserved populations, banks are focusing on accessible options like Unstructured Supplementary Service Data (USSD) banking and micro-lending.

By partnering with financial technology (fintech) companies, banks can reach underserved segments and offer innovative financial solutions.

The emergence of fintech and digital-first banks has increased competition and forced traditional banks to innovate.

These newer banks often offer more digital-friendly services and a focus on customer experience.

Driven by the need to innovate to survive, traditional banks have responded by investing in digital platforms and partnering with fintech companies to offer more convenient features like instant transfers and AI-powered customer support.

With the emergence of Rich Communication Services (RCS), companies are now able to offer a more enhanced customer experience compared to traditional Short Message Service (SMS).

Key features include multimedia support, file sharing, branding, and two-way communication. RCS also provides stronger security features, such as encryption and verification, to reduce the risk of fraud.

Future advancements in AI and digital banking

AI-driven credit scoring for the unbanked, voice and conversational banking in local languages, and AI-powered financial literacy tools are key areas for future development.

These advancements can further drive financial inclusion and growth in Africa’s BFSI sector. By leveraging AI and digital technologies, South Africa’s BFSI sector can overcome legacy challenges, foster financial inclusion, and contribute to the country’s economic growth.

This requires prioritising customer experience, addressing AI risks, and tailoring strategies to serve diverse populations.

There is no doubt that doing everything possible to prevent the crisis in the first place and then having a very carefully drafted playbook to activate an appropriate crisis response places a business in a far more favourable position than if it had no plans in place and is reacting in the heat of the moment.

The very idea can give CEOs sleepless nights. Now, consider that we live in times where cyber-attacks are increasing at breakneck speed and that everyone is a potential target. It is plain as day that every business needs a cybersecurity playbook.

Typically, a playbook relates to things you want to standardise and in this instance, it refers to how a business prepares and shores up its defences, as well as how it standardised its incident response procedure according to best practice in a way that results in the least amount of damage to the business.

Some of the most well-known businesses in the world, including in South Africa, have fallen victim to breaches.

Even if the data damage was minor in the greater scheme of things, they have suffered immense reputational and regulatory damage in the form of fines.

Just who are these threat actors? There are those who are in it for the money alone, others who are state-sponsored, some are driven by ideology and some may even be disgruntled staff in your own organisation. In some of the most malicious attacks, competition businesses pay threat actors to bring down a business’s systems to benefit their own.

How do they achieve their goals? If you pay them a ransom, they make money. If you don’t, they will make money selling your data.

They become vindictive and will widely publicise the extent of your data breach. Of course, if you did pay a ransom you will be attacked again because the threat actor knows you pay.

Often, as Armata, when we are called in to do an assessment of an environment after a breach we find that the threat actors have built a backdoor for another attack at a future date. Most times, we find many more areas of vulnerability that no doubt sophisticated hackers would also have spotted.

With this in mind, let’s take a closer look at what a cybersecurity playbook entails. It is a blueprint on how to react to the crisis with a clearly defined procedure. The incident response team is only one aspect.

A proper computer security incident response team (CSIRT) process will include the C-suite and other vital team members, such as those who are responsible for the day-to-day operations, dealing with stakeholders and customers, someone from the legal department, the heads of IT and people who look after the various systems, and marketing and communications. The playbook has clearly defined functions and responsibilities for each of these people. 

By way of example, suppose there has been a ransomware attack. The response may look like this:

The attack has only locked us out of our systems, and we can concur that no data has been stolen. The only impact is that it has affected the running of the business and so we either need to restore our systems or pay a ransom.

Legal says, yes we have not lost data so we do not need to report to the regulator about a POPIA breach, but it is advisable to let them know that we have had a ransomware attack and that we are looking at bolstering our security to stop it from happening again.

The CEO asks what would happen if an employee lets the news out and the story gains legs of its own, and so suggests that the business announces the attack publicly, and frames it as a business-impacting event where no customer data was stolen and that it is business as usual pending the restoring of systems.

The communications and PR team drafts the statement and reactive holding statements and manage potential media enquiries.

The business then engages a cybersecurity expert business to come in and run pen tests, analyse the system, and make recommendations on beefing up security and fixing vulnerabilities, or to take over the duties of a managed services arrangement.

The above is only surface-level for illustrative processes but it is useful in explaining the scope of a cybersecurity playbook.

Every organisation should take a moment to look into its own cybersecurity strategy and incident playbook and make sure that it has invested the type of attention it deserves.

Consider that if an organisation is attacked and the regulator finds that it did not take all reasonable steps to protect its systems, it could fall foul of compliance and be liable for massive fines and reputational damage.

Whereas, if the business had been working with an expert partner, those questions would have already been dealt with and the incident response would have been managed correctly.

Always seek out a partner that has experience, across industries and organisation sizes, so that you can get the best possible advice and service to protect your organisation and your customers’ data.

=======

Moving to the cloud certainly makes sense from an African business perspective, despite some serious challenges and risk factors unique to these shores. However, not all businesses can take the plunge.

Some businesses are reliant on expensive legacy systems that work well for them, while others are dissuaded from the move because of budgetary and compliance concerns.

Luckily, a revolution in how cloud computing is approached means businesses not quite ready to migrate to the cloud fully can extract the benefits of being in the cloud while still using their own on-prem systems, which effectively redoubles security efforts and removes legislative compliance headaches.

Before we get there, let’s take a look at the context in Africa generally and South Africa specifically.

Until the last few years there hasn’t been a great deal of infrastructure investment on these shores by the key cloud players. While we have seen this change recently with substantial Microsoft and Amazon Web Services investments, we are also seeing the uptake of other providers such as Snowflake and MogoDB Atlas, which offer more cost-effective cloud-based solutions.

There’s little denying that the time has arrived for Africa to be a global player and not just a consumer.

Challenges make this difficult, and closer to home any business can attest to the pain caused by our unreliable energy grid. During load shedding, and the sometimes-unplanned outages that follow the power cuts as a result of poor infrastructure, communications often grind to a halt and technology becomes unavailable.

An enterprise business which runs on-prem solutions needs to invest in hardware as well as a connectivity solution.

This entire setup runs on power and so now there is an extra investment needed: backup power in the form of generators, solar and batteries and UPS systems, which are all expensive.

Essentially, this means that if a business made an investment in a data centre two years ago, if you factor the need to replace hardware components which have taken a massive wear and tear beating due to persistent power surges as the power supply switches from the utility to another source, as well as the actual power backup system itself, it is fair to say this same business would have to quadruple that investment today to keep going.

If we consider that running an on-prem business requires huge amounts of capital, it should follow that cloud makes business sense. Yet still there is hesitancy and it is important to interrogate the reasons for this.

The cloud can become extremely expensive. By way of analogy, when you move house, you need to go through everything you have accumulated over time, sort through it, pack, change location and integrate it into your new space. This requires a great deal of time – something most businesses don’t have in abundance.

Very few organisations can afford to take time out to sort through, analyse and order its data before moving it to the cloud.

They must remain online, and they must be making real-time data-driven decisions to remain competitive, so they move massive volumes of data to the cloud, which is expensive and if it is unsorted and uncleaned, the exercise is akin to bleeding money.

Cloud technology itself has not yet evolved to a place where one provider can tick all the boxes and provide a full, one-stop shop for every business’s needs. This requires moving to multi-vendor solutions. One vendor may account for 70% of a business’s functionality while the rest is spread elsewhere and so there must be a concerted effort to seek compatibility.

Lastly, a business must understand its data to use its data. As mentioned, businesses have data in a number of different places and so the question must be asked – what is the point of bringing this data into the cloud if there is no use case for it? Businesses simply must be in control of their data.

Beyond these three major stumbling blocks for many businesses, and the risk that load shedding and unreliable energy supply adds to the equation, there are also legislative and trust issues, and a reliance on legacy systems. The second a business puts data into a public space it invokes POPIA. Being POPI compliant is a complex and expensive exercise which adds to business hesitancy to move to the cloud.

POPIA also places strict rules on cross-border movement of information and businesses know they must work with expert counsel to remain compliant.

However, compliance doesn’t end there. If one looks at the cloud infrastructure in South Africa, most use Europe-based data centres and so businesses need to be compliant with basic European law. This is not well-known in South Africa.

Some businesses, especially those in the manufacturing sector, have invested in massive legacy systems which may be outdated and heavy or clunky, but they do the job well for these businesses. Sometimes the financial investment in these systems just doesn’t justify another capital outlay to move to the cloud.

The big picture that we have painted is clear. We have a massive need for cloud computing but a fairly long list of challenges and risks that prevent wholesale uptake. And to be clear, this is not a global problem, this is an African challenge.

Thankfully Qlik has been proactive in cloud computing in Africa and has provided the perfect evolution, or as I prefer to describe it, a revolution: the ability for businesses to unlock the power of the cloud and data processing while staying on-prem.

This is achieved through a number of capabilities, notably a toolset that brings together three different technologies in a single subscription, removing the need for add-ons or extra purchases, it’s agnostic because no single business has one, unified source of data, and Qlik has its own cloud which means that businesses don’t get charged for cloud storage and computing power, which is crucial in a cost-sensitive environment.

Simply put, the use of a tool such as Qlik Forts enables a business to control its security because data stays at its source. It utilises the benefits of the cloud without any data leaving the on-prem systems. In essence, it addresses compatibility, cost, the pursuit of actionable insights from data, compliance and legacy concerns. Don’t be surprised to see more businesses working in a cloud environment within their own native systems as they realise there is another way to leverage the power of the cloud.

Now, nearly a year since it activated in July 2021, organisations are settling into the reality of conducting business in alignment with its regulations and data protection best practices.

While many organisations have placed compliance at the core of operations, there has sadly been a surge in data breaches impacting South African businesses in the same period, creating a climate that is ripe for POPIA enforcement.

The first anniversary of POPIA

POPIA governs the processing of personal information of individuals and juristic entities (“Data Subjects”) by organisations (“Responsible Parties”) in South Africa, regulates the processing of personal information of individuals by organisations from collection, aggregation and usage all the way through to retention and destruction.

Encouragingly, the Information Regulator, empowered to monitor and enforce compliance with the provisions of POPIA, has been active in engaging with organisations that have experienced data breaches over the past 12 to 18 months.

The added scrutiny means organisations must be far more cognisant of how they process personal information, ensuring that their security controls are adequate and effective.

Gateway to international arena

While compliance has historically been viewed as an administrative burden, many organisations now realise that privacy enablement is no longer a ‘nice to have’ but a valuable necessity of being able to do business. In tandem, technology companies are ensuring privacy forms a key part of their offerings.

The role of the Information Officer

The mandatory appointment of an Information Officer in all organisations remains one of the more contentious aspects of POPIA.

Without clear guidance on where this role needs to be positioned, organisations have adopted differing approaches. In practical terms, this is often driven by the size of the organisation, the resources at its disposal and the level maturity of its data protection programme.

Whereas smaller organisations are likely to appoint a multitasker, where the role of Information Officer will be added to the existing headcount in the business, larger arge organisations are more likely to hire a full-time candidate who will be dedicated to the role and oversee a discrete data protection function.

A seat in the boardroom

As more organisations begin to recognise the impact of data protection, both fiscally and reputationally, –privacy has become a business imperative requiring executive input.

This often becomes the preserve of Chief Information Officers, but there is an increased focus on appointing experienced Chief Privacy Officers with specialised skills in ensuring POPIA protocols are followed.

Attention to third parties

One of the biggest challenges for local organisations is the lack of attention to privacy risks associated with third parties. As operators in the POPIA relationship, they must also play their part in preventing security compromises.

It is therefore imperative to consider the reputation of the third party, the maturity of their privacy programme and whether they employ suitably qualified and certified privacy and security personnel to oversee their operations.

A final, overarching component of the compliance journey is ensuring that awareness of data protection obligations and privacy rights permeate all levels of the organisation through regular privacy training.

Privacy training must be regularly conducted, departmental based and appropriate to the organisation.

The adage “privacy is everyone’s responsibility” holds true, which is why organisations must improve accessibility to data privacy practices and ensure all employees are cognisant of the privacy regimes within their organisation. Data protection must become part of the living culture of all organisations.

The Protection of Personal Information Act (POPIA) is a critically important and necessary piece of legislation that the consumer has long been waiting for. In terms of protecting people’s personal information, it aligns South Africa with markets in the rest of the world and (amongst many other things) it has helped limit the extreme abuse of personal information among more dubious operators, such as groups profiting from relentless sales and robocalls.

Companies of late are striving to be compliant to avoid POPIA’s substantial fines and consequences such as losing customers and brand damage.  

Ironically however, in doing so, many companies are experiencing churn because they jumped onto the compliance bandwagon without a comprehensive understanding of legislation and as such went too extreme when reengineering their business processes.

Damned if you do or if you don’t? Not entirely – the real issue is that companies fail to put POPIA into context given their risk appetite for using personal information in day-to-day operations.

Let’s compare two extremes as an example by considering different business scenarios for both a bank and a basic service provider. A bank can offer you an account, which allows you to transact with large sums of money.

A basic service provider simply needs to verify your particulars in order to “know you” and conclude a service contract.

The two types of accounts represent different levels of risk both in terms of legislation and business consequences, and the scope of personal information they need to onboard a new customer is therefore very different. Both will use KYC (Know Your Customer) processes.

Yet the basic service provider would not need to process the same levels of personal information as the bank does and each entity should follow the principal of ‘minimality’ by only collecting the minimum required personal information of their clients.

As an example, a bank would require a comprehensive understanding of their client to comply with Anti-money laundering laws, while a service provider would not necessarily. 

This is the difference between conducting adverse media screens, Politically Exposed Person Screening, Enforcement List Screening or Sanction List Screening or not.  It is also the difference between processing a client’s personal biometric data or not (which is classified as special personal information). 

In the wake of POPIA, what is often observed however, is that companies often ignore such distinctions and over-engineer their business processes to meet compliance standards not fit for their business and thus lose their “fit for purpose” context which in turn compromises their customers user experience.

In the absence of understanding, businesses throw caution to the wind and engineer against the extreme to mitigate legal repercussion. 

The opposite also holds true in that many businesses, in the absence of understanding, under engineer their business processes because they fear legal retribution and in so doing fall fowl of their own legal requirements for purposes of other legislative influences that effect their business. 

In both cases the over and under engineering of business process have negative consequences that a simple understanding of POPIA could avoid. 

Rather than lay out a series of strict steps that results in a “one size fits all” approach, POPIA outlines general considerations in the act and special reference here applies to Chapter 8, part B from section 26 – 33 where the processing of special personal information applies.   

At Contactable we have seen companies take POPIA to extreme measure such that all data is totally anonymised internally and a back office can no longer resolve a client query because they cannot ascertain who the client is. 

Alternatively, we receive requests to delete all personal information that we process immediately after processing to avoid any unnecessary exposure to data stores, however, a few months later the client is back on our doorstep asking us to undo this request as they can no longer support their customer queries due to a lack of access to data. 

In all instances, the understanding of POPIA and the true risk is the key to determining the best use of personal information.

Your business needs access to some personal information to transact and has a right to such data. For example, a car dealership can ask for someone’s ID number or credit record – how else will they secure a loan from a bank or process the car registration or be able to comply with relevant legislation? You take on a certain level of risk based on the transaction’s context.

In this case, the dealership needs processes that safely handles personal information related to a vehicle sale. But it doesn’t have to do more than that and it certainly cannot afford to do less than that.

Context matters, fit for purpose processing matters, CONSENT matters and learning to balance the legal requirements of POPIA with the customer experience is imperative to remain competitive in an ever-changing legal landscape. 

If you try and placate every conceivable private data risk, you only damage your ability to transact.

On the other hand, if you do not comply with POPIA and other relevant legislation, you might face fines and brand damage.

But if you have a clear sense of what type of data you need and why, you can create a balance between laws such as POPIA and the requirement for your business to use personal information in order to transact with your clients.

Don’t fall into the trap where you over-engineer processes out of fear or a wish to mitigate all risks. A blanket approach will not work – every business is different. Fortunately, POPIA gives the space for you to determine your data privacy policy and destiny.

Recording and recalling faces is so intuitive that there is even a condition called prosopagnosia, which occurs when someone struggles to remember faces.

Not surprisingly, scientists have discovered our brains have areas dedicated solely to managing information about faces.

Humans are very social creatures, and we rely on quickly identifying friends from foes in a group of faces.

Ever since we invented computers, we’ve aimed to endow them with the same abilities. Today, we have computers that understand human speech, translate languages, and recognise our faces.

Facial recognition biometrics are today more accurate than the human eye can ever be.

Facial recognition is already used extensively to identify individuals, help prevent crimes such as fraud and make it easier for people to authenticate and access services through their digital identity. We already unlock our phones with a glance nearly 400 times a day.

Imagine if we could pop into the doctor’s office or breeze through airports using our faces to unlock everything, safely and securely.

Until recently, there have been two key limitations around facial recognition. The first is scale. Finding a face amongst thousands, millions, or billions without any reference, like an ID, to narrow the search, is like looking for a needle in a haystack. It’s very intensive and time-consuming, sometimes more so than what makes the process worthwhile.

Then there are important privacy concerns. For such a system to work fast, it often relies on other personal data, such as your ID, e-mail, or mobile number. If someone were to access that data used alongside your photo, they could learn a lot about you.

Exciting new developments in this space are resolving these issues. Specifically, a technology called CryptoNets using fully homomorphic encryption is changing how fast and securely computers can identify a face. It’s a very technical breakthrough, so let’s keep it simple.

CryptoNets uses artificial intelligence and new types of encryption to deliver on two fronts. It is very fast, locating a face among countless others in milliseconds without the need to have any other data to narrow the search.

It is also highly efficient, requiring far fewer computing resources than other types of facial recognition when making one-to-many comparisons or the traditional one-to-one face comparisons.

The technology is also great for privacy. Information encrypted through CryptoNets becomes anonymized data and no longer contains personal information. It is useless without the system, which itself doesn’t need to decrypt the information to use it.

So, there is no point in stealing that personal information. Notably, CryptoNets technology converts material such as photos or voiceprints into a different data format that cannot be used outside the CryptoNets context.

The result is a new biometric technology that is much faster, far more secure, naturally compliant with personal information laws such as POPIA and GDPR, and applicable to different forms of recognition.

CrytoNets technology also supports voice, fingerprints and so on. And because of how it works, CryptoNets can quickly identify someone using only one element, such as a photo (no need to give your ID number every time you verify yourself), and does so in near real-time, so it works even in large crowds.

Now, many of us become nervous when we think of facial recognition. There is always scope for abuse and mistakes. But facial recognition is not going away – it’s just too helpful. So, we should instead ask how we can make it more responsible and respectful of our privacy.

CryptoNets technology achieves privacy and efficiency goals with incredible results. As it grows more popular, it will improve biometric recognition of all types while keeping our personal information safer. It aligns nicely with a wave of improvements in the sector that promotes better ethics and greater accuracy.

Facial recognition is controversial for many reasons. These are being resolved through breakthroughs such as CryptoNets. From fraud prevention to opening your front door with your voice, it will improve many aspects of our lives in fantastic ways without compromising our safety and privacy.

Digital identity orchestration Company, Contactable, will be the first organization in Africa to pioneer this technology as part of its extended product offerings in the market.

Across Africa, many existing data security and protection laws were modelled on the regulations of the EU’s first data privacy legislation – the EU Data Protection Directive (1995), which preceded the GDPR.

Current data protection law in Africa is therefore largely similar to the GDPR, although there are also some significant differences. Businesses with operations in Africa that are already GDPR compliant will find that this is a good first step, with local expertise also essential to ensure compliance with jurisdiction-specific differences in the laws and regulations.

Enid Baaba Dadzie, Senior Associate at Kimathi & Partners in Ghana, notes that Ghana’s Data Protection Act was passed in 2012, ahead of the adoption of the GDPR, so it does not expressly follow the GDPR framework.

However, the Act regulates the collection and processing of personal data through similar principles provided in the GDPR.

Similarly, Sonal Sejpal, Partner at ALN Kenya | Anjarwalla & Khanna notes the provisions of Kenya’s Data Protection Act, 2019 also correspond to those of the GDPR, but are not identical.

Janet MacKenzie, Partner and Head of the IPTech Practice at Baker McKenzie in Johannesburg says the Protection of Personal Information Act (POPIA) was first prepared as a draft bill in 2009, and was based on the EU Directive, which was replaced by the GDPR in 2018.

There are similarities and major differences between POPIA and the GDPR. For example, the GDPR only protects the personal data of natural persons and does not extend its protection to juristic persons, whereas POPIA protects the data of both natural and juristic persons.

Pierre Deprez, an Associate at Nasrollah & Associés Baker McKenzie in Morocco, notes that current data privacy law in Morocco follows the “declarative” framework of the EU Directive n°95/46, which prevailed in Europe before the GDPR was passed.

In Rwanda, both the Law Nº 058/2021 of 13/10/2021 relating to the Protection of Personal Data and Privacy and the draft Regulation Governing use of Personal data in Rwanda 2019 follow the same framework as the GDPR.

According to Emmanuel Muragijimana, Chief Associate at K-Solutions & Partners in Rwanda, “These legislations have some highlighted similarities, including principles relating to processing of personal data, obligations on the companies and organizations in order to ensure the privacy and protection of personal data, providing data subjects with certain rights, and assigning powers to regulators to ask for demonstrations of accountability or to impose fines in cases of non-compliance.”

Arnold Lule Sekiwano, Partner at Engoru, Mutebi Advocates in Kampala, Uganda, says that privacy law in Uganda is also partially based on the GDPR.

“Uganda’s Data Protection and Privacy Act (2019) (Act) aims to protect the privacy of the individual and of personal data and is, in some limited respects, inspired by the GDPR. The Act also mirrors the UK Data Protection Act, 1998, which revolves around several principles concerning data protection and collection. The Act created the personal data protection office in NITA-U, also an independent body synonymous to the UK’s Information Commissioner’s Office, set up under Chapter 6 of the GDPR. One of the main contrasts of Ugandan privacy law with GDPR is the absence of legitimate interest as a legal basis for processing in the Ugandan Act,” he explains.

Ammar Oozeer, Barrister at Law at BLC Robert & Associates explains that in Mauritius, “the Data Privacy Act (DPA) 2017 is aligned with international standards, namely the GDPR and the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data. However, there are certain instances in the DPA 2017 where the provisions are not the same as those contained in the GDPR. For example, the hefty administrative penalties under the GDPR have not been reflected in the DPA 2017, the requirement under the DPA 2017 for controllers and processors to be registered with the Data Protection Office prior to the processing of personal data, and the absence of automatic transfer to countries ensuring an adequate level of protection based on the determination of the Data Protection Office. 

He notes further, “The Mauritian legislator has adopted a criminal regime for sanctioning contravention of the DPA 2017. However, if an individual has suffered prejudice as a result of a breach of the DPA 2017 by a controller or processor, for example, following a personal data breach, the individual may claim damages or that breach under the law of tort.”

Ammar explains that to attract foreign investors, in particular, from the EU, it is imperative that African countries have robust data protection legislation because data protection is regarded as a fundamental right in the European Union.

Ijeoma Uju, Partner at Templars in Lagos, Nigeria, says that the Nigerian Data Protection Regulation (NDPR), 2019, is significantly modelled after the GDPR, noting that, “both laws are reasonably similar in terms of rationale and core principles. The NDPR and the GDPR both aim to provide data subjects with a certain level of protection regarding their personal data. The material scope of the laws are consistent, with common definitions and principles on processing of personal data in general.

“For example, the GDPR require data controllers to report a data breach within 72 hours after becoming aware of such breach. The same provision can be found in the NDPR implementation framework. Beyond the similarities, both laws also have notable differences. One major difference is the requirement under the NDPR for the filing of data audit reports on an annual basis if certain processing thresholds are met. Additionally, unlike the NDPR, the GDPR is a more unified framework. Although the NDPR and the Data Protection Bill aim to achieve this goal, Nigeria laws on data protection and privacy are currently not as comprehensive or unified,” she notes.

The GDPR has clearly given African governments a yardstick by which to measure and develop their own privacy laws, as well as giving African organisations an international standard to adopt, and thereby maintain the trust of the international community. However, it is also imperative that local expert advice is sought to ensure compliance with country and region-specific laws.