POPI Compliance may be a ‘last minute scramble’

By Isabelle Coetzee

Following the commencement date of the Protection of Personal Information (POPI) Act, businesses will have one year to become ‘POPI compliant’.

According to the 2017 POPI Act Compliance Survey, which was run by ITWeb, only 21% of their 265 respondents said they were POPI compliant.

Among the remaining respondents, 19% admitted they were not compliant, 26% said they were unsure whether they were, and 35% said they were busy getting their house in order.

But what does it actually mean to be POPI compliant?

Alison Treadaway, director and digital communication specialist at Striata, explains that POPI stipulates how businesses can legally process consumers’ personal information, such as email addresses, ID numbers, and cellphone numbers.

This is to protect consumers from having their information sold to the highest bidder or stored in vulnerable locations where hackers can easily access it.

To become compliant, businesses must prove that the personal information they collect is acquired responsibly and that it is adequately secured.

However, Treadaway points out that it’s difficult to get an accurate gauge of how prepared South African companies are for POPI.

She believes companies may have initially prepared for POPI, but that delays in implementing the legislation could have tempted them to put their efforts on hold.

“If the situation is anything like that which occurred during the implementation of the European Union’s General Data Protection Regulation (GDPR), then we’ll likely see a last-minute scramble,” says Treadaway.

A closer look at POPI

Treadaway explains that under POPI, organisations will only be able to collect personal information for a specific purpose.

Once collected, they need to apply reasonable security measures to protect it, ensure it’s up to date, remove information they no longer need, and allow consumers access to their own data.

Additionally, companies are required to appoint an information officer, who must ensure that data is constantly secured, new data is appropriately handled, and old data is destroyed.

“In essence, POPI gives consumers more control over how their data is used and stored by organisations,” says Treadaway.

If their data is compromised in a data breach, the Information Regulator will investigate whether the breach was caused by a lack of compliance of that organisation’s systems.

Thomas Vollrath, company head at 1-grid.com, believes data is a company’s most valuable asset, which means businesses should make sure they use the correct technology.

“Choosing the right data and document processing applications will put you on the right path to becoming compliant,” says Vollrath.

He adds that it’s important to remember that data leakage includes the accidental exposure of information by employees.

Therefore, companies must ensure they have security procedures and policies in place to regulate the use of information and data.

He believes in order to curb data being leaked, employers must ensure their staff members are educated on POPI compliance.  

“For those companies that only have the bare minimum amount of e-mail security and archiving and data storage, becoming POPI compliant will take some time,” says Vollrath.

POPI will require amending legal documents, consolidating data views, analysing subcontracting practices, and having control over cross-border data flows.

Whose information will be protected?

Vollrath pointed out that in the past, consumer data could be freely passed on and sold between companies, ranging from banks to telemarketers.

However, with the implementation of POPI, consumers will be able to report companies that handed out their personal data without their consent.

“Individuals will be able to take legal action if this is not respected, and it includes data that was shared before the Act’s implementation,” Vollrath adds.

The Information Regulator, appointed by the President on the recommendation of the National Assembly, will monitor the enforcement of the POPI Act.

If consumers are unhappy with how a company handled their information, they may submit a complaint to the Information Regulator, and an adjudicator will be assigned to the case.

“It is not clear when POPI will come into effect, mainly due to lengthy delays in appointing an Information Regulator and fully enabling its mandate and powers,” says Vollrath.

However, Juan Furmie, COO at ThisIsMe, warns that consumers should not feel that they will automatically be protected.

“POPI gives them the tools to protect themselves, but they still need to be proactive in using those tools,” says Furmie.

Consumers will be able to ask any company to view the information they have on them, if any, and request them to delete that information if there is no reason for them needing it.

“It gives power to the consumer, but ultimately everyone is at risk of cybercrime. It is up to each one of us to ensure we are careful about who we share information with,” urges Furmie.

Consequences of not being compliant

According to Vollrath, companies who do not comply with POPI risk financial losses, as well as penalties and even imprisonment.

“If a business is non-compliant, it will not only inflict damage on its reputation, but the company will also face a maximum fine of R10-million and a maximum jail term of 10 years,” says Vollrath.

“Becoming compliant is not just about obeying the law, it’s become essential to doing business in a data-driven world,” he explains.

Vollrath believes data protection can have real benefits for profitability and competitiveness because it gives businesses an advantage over those that do not protect their customers.

Recent Articles

Featured Rating agencies may come knocking

It is only the middle of February, but the rand has already made two big moves. The first was the rand moving from R14.60 to R 13.20 at the beginning of the year, as emerging markets (EM) became fashionable again. The second was where the rand gave away nearly 90 cents in 2 weeks as the EM rally ran out of steam, and local events started to hit the headlines.

Read more

The cost of sending money home to neighbouring countries

Transferring money home within the Southern African Development Community (SADC) provides vital financial support for many households in neighbouring countries.

Read more

Student bank accounts: Which come out on top?

Being a student signals budgeting and not having a lot of money at your disposal. This means streamlining expenses such as your grocery costs and entertainment budget. But what if your bank account is in fact costing you more than you can afford?

Read more

Can you afford an ambulance in South Africa?

When a loved one is straddling the line between life and death, you won’t hesitate to call an ambulance. This week, Justmoney found out how much an ambulance ride costs in South Africa, whether you can refuse to get into an ambulance, and who pays the bill if you’re unconscious. 

Read more

Sign Up

To our weekly newsletter for advice you can bank on

Deals

President Hotel Easter Special

Price: From R1,500
When: 15 March to 30 April
Where: Cape Town

Kulula-Preskil Island Resort Special

Price: R16,999
When: 11 May -14 September
Where: Mauritius

A Touch Of Madness Tuck In Tuesday Special

Price: R70
When: Tuesdays
Where: Cape Town