POPI Compliance may be a ‘last minute scramble’

By Isabelle Coetzee

Following the commencement date of the Protection of Personal Information (POPI) Act, businesses will have one year to become ‘POPI compliant’.

According to the 2017 POPI Act Compliance Survey, which was run by ITWeb, only 21% of their 265 respondents said they were POPI compliant.

Among the remaining respondents, 19% admitted they were not compliant, 26% said they were unsure whether they were, and 35% said they were busy getting their house in order.

But what does it actually mean to be POPI compliant?

Alison Treadaway, director and digital communication specialist at Striata, explains that POPI stipulates how businesses can legally process consumers’ personal information, such as email addresses, ID numbers, and cellphone numbers.

This is to protect consumers from having their information sold to the highest bidder or stored in vulnerable locations where hackers can easily access it.

To become compliant, businesses must prove that the personal information they collect is acquired responsibly and that it is adequately secured.

However, Treadaway points out that it’s difficult to get an accurate gauge of how prepared South African companies are for POPI.

She believes companies may have initially prepared for POPI, but that delays in implementing the legislation could have tempted them to put their efforts on hold.

“If the situation is anything like that which occurred during the implementation of the European Union’s General Data Protection Regulation (GDPR), then we’ll likely see a last-minute scramble,” says Treadaway.

A closer look at POPI

Treadaway explains that under POPI, organisations will only be able to collect personal information for a specific purpose.

Once collected, they need to apply reasonable security measures to protect it, ensure it’s up to date, remove information they no longer need, and allow consumers access to their own data.

Additionally, companies are required to appoint an information officer, who must ensure that data is constantly secured, new data is appropriately handled, and old data is destroyed.

“In essence, POPI gives consumers more control over how their data is used and stored by organisations,” says Treadaway.

If their data is compromised in a data breach, the Information Regulator will investigate whether the breach was caused by a lack of compliance of that organisation’s systems.

Thomas Vollrath, company head at 1-grid.com, believes data is a company’s most valuable asset, which means businesses should make sure they use the correct technology.

“Choosing the right data and document processing applications will put you on the right path to becoming compliant,” says Vollrath.

He adds that it’s important to remember that data leakage includes the accidental exposure of information by employees.

Therefore, companies must ensure they have security procedures and policies in place to regulate the use of information and data.

He believes in order to curb data being leaked, employers must ensure their staff members are educated on POPI compliance.  

“For those companies that only have the bare minimum amount of e-mail security and archiving and data storage, becoming POPI compliant will take some time,” says Vollrath.

POPI will require amending legal documents, consolidating data views, analysing subcontracting practices, and having control over cross-border data flows.

Whose information will be protected?

Vollrath pointed out that in the past, consumer data could be freely passed on and sold between companies, ranging from banks to telemarketers.

However, with the implementation of POPI, consumers will be able to report companies that handed out their personal data without their consent.

“Individuals will be able to take legal action if this is not respected, and it includes data that was shared before the Act’s implementation,” Vollrath adds.

The Information Regulator, appointed by the President on the recommendation of the National Assembly, will monitor the enforcement of the POPI Act.

If consumers are unhappy with how a company handled their information, they may submit a complaint to the Information Regulator, and an adjudicator will be assigned to the case.

“It is not clear when POPI will come into effect, mainly due to lengthy delays in appointing an Information Regulator and fully enabling its mandate and powers,” says Vollrath.

However, Juan Furmie, COO at ThisIsMe, warns that consumers should not feel that they will automatically be protected.

“POPI gives them the tools to protect themselves, but they still need to be proactive in using those tools,” says Furmie.

Consumers will be able to ask any company to view the information they have on them, if any, and request them to delete that information if there is no reason for them needing it.

“It gives power to the consumer, but ultimately everyone is at risk of cybercrime. It is up to each one of us to ensure we are careful about who we share information with,” urges Furmie.

Consequences of not being compliant

According to Vollrath, companies who do not comply with POPI risk financial losses, as well as penalties and even imprisonment.

“If a business is non-compliant, it will not only inflict damage on its reputation, but the company will also face a maximum fine of R10-million and a maximum jail term of 10 years,” says Vollrath.

“Becoming compliant is not just about obeying the law, it’s become essential to doing business in a data-driven world,” he explains.

Vollrath believes data protection can have real benefits for profitability and competitiveness because it gives businesses an advantage over those that do not protect their customers.

Recent Articles

Featured Changing from one medical scheme to another - effortlessly

It is coming up to the end of the year and you might be looking to change medical schemes, or options within a scheme in preparation for the new year. While you don’t necessarily have to wait for year-end to do so, providers often recommend it.

Read more

Your guide to financially surviving Christmas

There are a few times each year where you need to dig deeper into your pocket and spend more money such as birthdays, anniversaries, and the Christmas period. Whether you celebrate this religious holiday or not, the festive period - depending on how you choose to spend it - means increased travelling, buying of gifts, entertaining, and eating out at restaurants.


Read more

Trump, Trump and a little bit of South Africa

What a November we had, with the rand staging one of its best months and closing below the R14.00 level. To be honest, this looked like quite a far-fetched possibility at one stage during the month. It seems that the tide has changed a little, even though it might be short lived since the US dollar bulls are not so sure of their case anymore.

Read more

Momentum vs. The people: Who is at fault?

This week has seen insurance giant Momentum in the hot seat as debate sparked around its initial refusal of a R2.4 million life insurance pay-out. The deceased was killed in a hijacking but lost the right to claim upon failing to disclose a raised blood sugar condition at the inception of the policy, in 2014. Momentum has since agreed to the pay-out.

Read more

Sign Up

To our weekly newsletter for advice you can bank on

Deals

Free iCollege Scholarship

Price: R600
When: Until 16 May 2019
Where: Nationwide

Telkom December Big Deal

Price: R459 pm
When: Until 31 December
Where: Nationwide

Money Savvy Kids Giveaway

Price: R450
When: 8 December
Where: Johannesburg (Milpark)