Data governance and security, trends in emerging economies, the case of Africa.
Introduction
The increasing integration between personal and enterprise computing through use cases like bring your own devices (BYOD), Social media, remote work on company devices, cloud computing has further blurred the boundary of data governance for enterprises & individuals. It’s no longer easy to demarcate the enterprise boundaries from individual computing boundaries as employees use the same devices to access personal digital resources and also work emails. This has led to enterprises losing control of their own data security leading to compromises through hacked personal devices accessing secured company information.
In order to get a hand on their data security governance, enterprises have made efforts to secure their technology boundaries through deployment of granular policies implemented through Cloud based data governance tools like Amazon Macie and signing service level agreements (SLAs) with respective service providers to guarantee the security and privacy of their data. Africa specifically stands at cross roads of embracing the inevitable emerging technologies like AI, blockchain and big data but also has to match the accompanying regulatory environment that ensures that these technologies do not morph out of control especially as concerns data privacy governance and protection.
1. Trends in Data governance & Security
Among the emerging data security trends in emerging economies such as Africa, the following are key technologies, processes and governance approaches of note;
a) Data warehousing through Cloud applications
For a long time Enterprises have used several distinct systems developed on different platforms to achieve the different business objectives. From human resource management (HRM) systems to manage the employee records, to financial systems for reporting business performance, enterprise networks managed by the internal IT team, and mobile applications for on-field staff to keep access to corporate resources.
This creates a very complex technology environment especially for data governance and as such there is the emergence of unified Cloud computing in an effort to house all enterprise systems under one roof for ease of governance and control. These cloud solutions provide all the major services such as networking, enterprise applications like office 365, collaboration tools like Teams, meets and even threat intelligence platforms. This efficiency brought about by the pay as you use consumption model has attracted many enterprises who need to manage their budgets but also have full access to these services.
Because most of the major cloud service providers are large international technology firms like Google, AWS and Microsoft azure, most enterprises cannot afford to develop their own cloud environments and therefore have outsourced their cloud environments to these technology firms who already have the in-house capacities to manage, secure and provision these cloud services leading to a smaller, less technical in –house technology teams for enterprises.
b) Use of Data analytics to inform operations
With the enterprise data now converged under a single cloud infrastructure, it has been easy to track specific business performance metrics through customised analytics tools and dashboards that have made businesses better understand their operations and fine tune them to meet very specific targets. Armed with this new knowledge, enterprises have been able to develop new products, processes and even systems that better reflect their target markets.
Products like Fintechs based on the banking applications’ metadata like digital loan apps, on demand gig economy like Uber, Air BnB, and even sports betting have been emergent products from this very granular data on user behaviour analytics. However, with the personalised nature of these services, there have arisen the concerns on the safety and protection of Personal & Corporate data. Concerns of access and the processing methods of personal metadata has raised concerns among data privacy practitioners and even led to the banning of some AI based products like chatGPT in Italy [1].
c) Increased cyber threats due to a wider threat landscape
Because of the popularity of these very personalised systems, threat actors have been attracted to these applications and platforms and led to the highest level of cyber-attacks to either compromise the financial systems for gain as the case on Fintechs like mobile banking, Mobile loan apps, and Mobile betting applications [2]. The centralised enterprise data through cloud infrastructures and personal data through social media applications like Facebook, Instagram, and Twitter has led to several data compromises leading to several fines imposed on these platform providers for not sufficiently securing personal information [3, 4]. To ensure the safety of these very specific personal data, many countries in the emerging economies have tried to regulate the use of these data by passing data privacy regulations like the Kenya Data privacy Act 2018 [5] ,Protection of personal Information Act (POPIA) in South Africa [6], and the Nigerian Data protection regulation 2019 [7].
2. Challenges in data governance & security
The ubiquitous nature of technologies popularly used both at enterprise level like the Cloud application services and the social media applications used for personal social interactions like Facebook, Twitter, Instagram and Tiktok blurs the boundaries of data governance in these platforms. Even though services like Google cloud platform and AWS has Data governance specific modules that enforce particular specific data governance controls, it’s impossible to effectively enforce these on enterprise level. This therefore creates a gap in data security governance that can be exploited by threat actors to compromise enterprise and individual data privacies.
The difference in regulatory frameworks between jurisdictions especially in Africa makes it ineffective to enforce standard data security controls across the digital sphere thereby limiting the effectiveness of any intervention. Also, many jurisdictions especially in Africa don’t even have data privacy & security laws and therefore creating a data privacy governance gap. These are often exploited by some major technology firms that move to these less regulated environments for their research activities that would not be legal in the mature markets of the west like Facial recognition technologies and some drug research companies [8, 9, 10].
Also cyber criminals set base in these jurisdictions to commit crimes that would be difficult to prosecute due to lax regulatory controls and limited enforcement capacities. The difference in data privacy & security maturity levels make it difficult to standardise data security controls across different jurisdictions which limits commerce across boundaries thereby limiting economic integrations.
The emergence of big data due to the large volumes of social media data and the cloud hosted enterprise data that led to the development of highly sophisticated analytics and AI systems to create models for new products has created a further risk of surveillance and targeted information operations by both state and non-state actors. At best these have led to understanding the public sentiments through tracking mentions on social media and therefore inform interventions in public health pandemics like the Covid-19 response [11].
At worst these have been conduits for targeted information operations like mass miss-information and dis-information as the case of the 5G transmission technology which led to actual destruction of property in parts of Europe and the Anti-vaccine campaigns during the Covid-19 pandemic that hampered the response to the pandemic in Africa [12]. In some instances Information operations through misinformation have been used to cause civil unrest and even set the grounds for compromise of democratic elections in emerging economies [13, 14].
Some technologies emerging from the big data analytics like AI and blockchain are not yet mature enough and therefore have no clearly defined privacy & security controls. It is therefore it’s very difficult to enforce any specific data security governance standards without access to the AI research labs which are mainly ran from the west but whose adverse effects like surveillance are most felt in the emerging economies [15. 16].
3. Potential interventions to Data governance & security in Emerging economies
As potential mitigations of the identified risks especially that of fragmented data security & privacy governance in emerging economies like Africa, a starting point would be that instead of all African countries implementing their respective Data protection regulations, they should all ratify the African Union convention on cyber security and personal data protection [17] .
This would ensure a standard data governance across the whole continent and therefore making the regulatory environment more predictable and therefore ease of integration of digital services across the 54 African jurisdictions. A standardised regulatory environment ensures that major technology and pharmaceuticals do not take advantage of the sparse control to test out products that would compromise data security for the citizens of African states and that are not legal in the west.
For the international community, there is need for a legal policy framework to guide the use of AI in developing new digital products like information operations and surveillance products in order to ensure that their use does not compromise the digital privacies of civilians. This can be possible if the major technology players work hand in hand with regulatory agencies and international agencies like the UN to define a governance framework for technologies like AI to ensure that we harness it positive attributes but also protect from the adverse effects.
1. References
1. ChatGPT panned in Italy over privacy concerns, accessed on 28th April 2023, accessed from :https://www.bbc.com/news/technology-65139406
2. Mounting cyber threats mean financial firms urgently need better safeguards. Accessed on 28th April 2023, accessed from : https://www.imf.org/en/Blogs/Articles/2023/03/02/mounting-cyber-threats-mean-financial-firms-urgently-need-better-safeguards
3. LinkedIn data breach, accessed on 28th April 2023, accessed from : https://www.forbes.com/sites/quickerbettertech/2021/07/05/a-linkedin-breach-exposes-92-of-usersand-other-small-business-tech-news/?sh=cff5a695b339
4. Facebook agrees to a breach settlement. Accessed on 28th April, accessed from : https://www.dw.com/en/facebook-agrees-to-pay-725-million-settlement-for-security-breach/a-64201763#:~:text=In%202018%2C%20it%20came%20to,ended%20up%20winning%20the%20vote.
5. Kenya Data privacy Act 2019, accessed on 28th April 2023, accessed from : https://www.odpc.go.ke/dpa-act/
6. The Protection of personal Information Act. Accessed on 28th April 2023, accessed from : https://popia.co.za/
7. Nigerian data protection regulation. Accessed on 28th April 2023, accessed from : https://ndpb.gov.ng/Files/NigeriaDataProtectionRegulation.pdf
8. Chinese surveillance technology in Africa. Accessed on 28th April 2023, accessed from : https://epic.org/the-rise-of-chinese-surveillance-technology-in-africa-part-5-of-6/
9. Europe edges closer to banning facial recognition. Accessed on 28th April 2023, accessed from :https://www.politico.eu/article/europe-edges-closer-to-a-ban-on-facial-recognition/
10. How drug companies are side stepping WHO technology transfer hub in Africa. Access on 28th April 2023, accessed from : https://theconversation.com/how-drug-companies-are-sidestepping-the-whos-technology-transfer-hub-in-africa-179029.
11. Sentimental Analysis of COVID-19 Related Messages in Social Networks by Involving an N-Gram Stacked Autoencoder Integrated in an Ensemble Learning Scheme. Kandasamy, V et al, 2021. Accessed on 28th April 2023, accessed from: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8623208/
12. Covid-19 Infodemic and Misinformation in rural Africa. Okereke, M et al, 2020. Accessed on 28th April 2023, accessed from : https://www.ajtmh.org/view/journals/tpmd/104/2/article-p453.xml
13. Social media misinformation stokes a worsening civil war in Ethiopia. Accessed on 28th April 2023, accessed from :https://www.npr.org/2021/10/15/1046106922/social-media-misinformation-stokes-a-worsening-civil-war-in-ethiopia
14. Disinformation is undermining democracy in West Africa. Accessed on 28th April 2023, accessed from: https://www.cigionline.org/articles/disinformation-is-undermining-democracy-in-west-africa/
15. AI in Africa key concerns and policy considerations for the future of the continent. Accessed on 28th April 2023, accessed from :https://afripoli.org/ai-in-africa-key-concerns-and-policy-considerations-for-the-future-of-the-continent
16. Challenges of AI, accessed on 28th April 2023, accessed from : https://www.chathamhouse.org/2022/03/challenges-ai.
17. African union convention on Cyber security and personal data protection. Accessed on 28th April 2023, accessed from : https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection.