Useful tools for mobile application developers and their clients.

With POPI on the horizon, this article introduces a few tools that WASPs, mobile application developers, and the brand owners who commission them, may consider adopting when they embark on designing and developing mobile marketing applications.

Untitled Document

Protection of Personal Information:
Useful tools for mobile application developers and their clients.
Written by Philip van Tonder (Advisory Board member: MMA South Africa)

With POPI on the horizon, this article introduces a few tools that WASPs, mobile application developers, and the brand owners who commission them, may consider adopting when they embark on designing and developing mobile marketing applications.

  • Adopt a “Privacy-by-Design” approach

Although the various app store platforms (Apple; Android etc.) all have certain minimum requirements regarding privacy, it is in MMA members’ interest to adopt a privacy-by-design approach at every stage of the mobile app life cycle. The seven principles of privacy-by-design are:

  • Personal data protection should be proactive and preventative (not reactive and remedial). It anticipates and prevents privacy invasive events before they happen.
  • Personal data protection should be the default setting i.e. if an individual does nothing e.g. not tick a box, their privacy remains intact. No action is required by the individual to protect his privacy – it’s built into the application by default.
  • Personal data protection should be embedded into the design of the app and not bolted on as an add-on afterwards – it must be integral to the app’s core functionality.
  • Privacy-by-Design should not be a trade off against functionality or security, but should seek to accommodate all legitimate interests in a win-win solution.
  • Personal data protection should extend securely throughout the entire lifecycle of the personal information processing, from start to finish (collection to erasure).
  • Privacy-by-Design should be open and transparent to all stakeholders, delivering the stated promises and objectives, and always subject to independent verification.
  • Privacy-by-Design should be user-centric, keeping the interests of the individual uppermost by offering strong privacy defaults, appropriate notice, and empowering user-friendly options.
  • Perform Privacy Impact Assessments

A Privacy Impact Assessment (“PIA”) is a well-known compliance and risk assessment tool which mobile marketers are encouraged to use when designing and developing mobile applications – to systematically evaluate at an early stage its potential impact on personal information privacy – to detect any risks and minimise adverse impact.
A PIA can be a massive undertaking, or you can scale it down to fit the nature of your mobile marketing project. The following basic steps should be undertaken:

  • Describe how personal information will flow within the mobile application. Understand what personal information is required from the end user; what purpose it’s going to be used for, who will have access to it etc.
  • Identify privacy related risks e.g. are you at risk of attracting fines (in future) for transgressing any of the POPI Act’s eight conditions for lawful processing ?. Also consider risks to the data subject whose information you’re dealing with. Finally, consider whether your app complies with the seven Privacy-by-design principles.
  • Identify and evaluate privacy solutions i.e. what actions you may take to address the risks identified. Identify possible solutions e.g. you may decide not to collect certain personal information. Evaluate the costs/benefits of the solution.
  • Integrate the PIA outcomes into your project planning i.e. ensure that any actions required to give effect to your PIA are included in the app design specifications.

Consultation is an important part of conducting a PIA. Going it alone you may miss some of the risks associated with the flow of personal information in the mobile application. So conduct the PIA in consultation with colleagues and/or consultants.

  • Create a good Privacy Policy

Write a privacy policy that is easy to find and easy to understand. The MMA has published a mobile app privacy policy framework that provides a good base, and uses language that will be quickly and completely understood by the consumer. The framework addresses questions such as:

  • What personal information does the app collect and how is it used?
  • Does the app collect precise real-time location information on the device?
  • Will 3rd parties have access to information collected by the app?
  • Does the app collect data to enable serving of advertising to the device?
  • What are the user’s opt-out rights?
  • What is the data retention policy – how long will the app store personal information? 

The mobile application privacy policy framework can be downloaded from the MMA’s web site at
The above mentioned concepts of Privacy-by-Design; Privacy Impact Assessment and Privacy Policy may seem somewhat new to the South African mobile marketing scene, but they’ve been tried and tested in a number of countries over recent years. At the MMA we believe that mobile marketers would find value in getting to know these concepts and adopting them in a POPI regulated environment.


“Personal data privacy protection: what mobile apps developers and their clients should know”. Office of the Privacy Commissioner for Personal Data. Hong Kong. November 2012.
“Privacy by Design. The 7 Foundational Principles”. Ann Cavoukian. Information and Privacy Commissioner of Ontario. January 2011.
“Conducting privacy impact assessments code of practice” UK Information Commissioner’s Office. February 2014.
“Mobile Application Privacy Policy Framework”. MMA Privacy and Advocacy Committee. December 2011.
“Privacy in mobile apps, guidance for app developers”. UK Information Commissioner’s Office. December 2013.

Page 41 of 68

Join our Community For Free!

Click here to join our local MMASA community