Following the commencement date of the Protection of Personal Information (POPI) Act, businesses will have one year to become ‘POPI compliant’.
According to the 2017 POPI Act Compliance Survey, which was run by ITWeb, only 21% of their 265 respondents said they were POPI compliant.
Among the remaining respondents, 19% admitted they were not compliant, 26% said they were unsure whether they were, and 35% said they were busy getting their house in order.
But what does it actually mean to be POPI compliant?
Alison Treadaway, director and digital communication specialist at Striata, explains that POPI stipulates how businesses can legally process consumers’ personal information, such as email addresses, ID numbers, and cellphone numbers.
This is to protect consumers from having their information sold to the highest bidder or stored in vulnerable locations where hackers can easily access it.
To become compliant, businesses must prove that the personal information they collect is acquired responsibly and that it is adequately secured.
However, Treadaway points out that it’s difficult to get an accurate gauge of how prepared South African companies are for POPI.
She believes companies may have initially prepared for POPI, but that delays in implementing the legislation could have tempted them to put their efforts on hold.
“If the situation is anything like that which occurred during the implementation of the European Union’s General Data Protection Regulation (GDPR), then we’ll likely see a last-minute scramble,” says Treadaway.
A closer look at POPI
Treadaway explains that under POPI, organisations will only be able to collect personal information for a specific purpose.
Once collected, they need to apply reasonable security measures to protect it, ensure it’s up to date, remove information they no longer need, and allow consumers access to their own data.
Additionally, companies are required to appoint an information officer, who must ensure that data is constantly secured, new data is appropriately handled, and old data is destroyed.
“In essence, POPI gives consumers more control over how their data is used and stored by organisations,” says Treadaway.
If their data is compromised in a data breach, the Information Regulator will investigate whether the breach was caused by a lack of compliance of that organisation’s systems.
Thomas Vollrath, company head at 1-grid.com, believes data is a company’s most valuable asset, which means businesses should make sure they use the correct technology.
“Choosing the right data and document processing applications will put you on the right path to becoming compliant,” says Vollrath.
He adds that it’s important to remember that data leakage includes the accidental exposure of information by employees.
Therefore, companies must ensure they have security procedures and policies in place to regulate the use of information and data.
He believes in order to curb data being leaked, employers must ensure their staff members are educated on POPI compliance.
“For those companies that only have the bare minimum amount of e-mail security and archiving and data storage, becoming POPI compliant will take some time,” says Vollrath.
POPI will require amending legal documents, consolidating data views, analysing subcontracting practices, and having control over cross-border data flows.
Whose information will be protected?
Vollrath pointed out that in the past, consumer data could be freely passed on and sold between companies, ranging from banks to telemarketers.
However, with the implementation of POPI, consumers will be able to report companies that handed out their personal data without their consent.
“Individuals will be able to take legal action if this is not respected, and it includes data that was shared before the Act’s implementation,” Vollrath adds.
The Information Regulator, appointed by the President on the recommendation of the National Assembly, will monitor the enforcement of the POPI Act.
If consumers are unhappy with how a company handled their information, they may submit a complaint to the Information Regulator, and an adjudicator will be assigned to the case.
“It is not clear when POPI will come into effect, mainly due to lengthy delays in appointing an Information Regulator and fully enabling its mandate and powers,” says Vollrath.
However, Juan Furmie, COO at ThisIsMe, warns that consumers should not feel that they will automatically be protected.
“POPI gives them the tools to protect themselves, but they still need to be proactive in using those tools,” says Furmie.
Consumers will be able to ask any company to view the information they have on them, if any, and request them to delete that information if there is no reason for them needing it.
“It gives power to the consumer, but ultimately everyone is at risk of cybercrime. It is up to each one of us to ensure we are careful about who we share information with,” urges Furmie.
Consequences of not being compliant
According to Vollrath, companies who do not comply with POPI risk financial losses, as well as penalties and even imprisonment.
“If a business is non-compliant, it will not only inflict damage on its reputation, but the company will also face a maximum fine of R10-million and a maximum jail term of 10 years,” says Vollrath.
“Becoming compliant is not just about obeying the law, it’s become essential to doing business in a data-driven world,” he explains.
Vollrath believes data protection can have real benefits for profitability and competitiveness because it gives businesses an advantage over those that do not protect their customers.