A closer look at PoPI compliance
by Aaron Thornton, Dial a Nerd
With the enforcement of the Protection of Personal Information Act of 2013 (PoPI) on the horizon, South African business owners and leaders need to re-examine the way that they handle and process data. In essence, PoPI seeks to ensure that all South African institutions operate responsibly when managing, collecting, processing, storing and sharing personal information. The Act holds said companies accountable if they fail to protect personal data, and looks to bring South Africa in line with international trends around data management. Arguably, these laws will get stricter as time passes and more high profile examples of data breaches, like Facebook’s, emerge.
Yet with PoPI’s commencement date still unclear, many businesses are choosing to ignore the new regulations. This is risky! Certain sections of PoPI have already commenced (under proclamation No. R. 25, 2014), although it is only a few, limited sections. According to reports, although the Information Regulator is not yet fully operational, it has already received many complaints relating to the unlawful processing of personal information under PoPI.
As a business, you do not want to get on the wrong side of the Information Regulator. Once PoPI is in force, the Information Regulator can carry out an assessment of your personal information handling practices – even if no complaint has been filed. With this in mind, this article takes a closer look at the impending data law.
Defining “precious goods”
Firstly, PoPI considers personal information and data “precious goods”. Taking this view into account, business leaders can face jail time or a fine of up to R10-million if an organisation is in breach of the Act. This is applicable to any legal entity, whether it is a person or company. In other words, companies also have the right to the protection of their private information. Arguably, it is near impossible to meet the requirements of PoPI without the right IT tools and platforms in place. These tools, in addition to keeping a business in line with PoPI, can streamline operations and also boost efficiencies.
Conditions of the Act
PoPI has eight conditions that companies must comply with:
- Accountability: All legal entities need to be responsible, accountable and must comply with the conditions of the Act.
- Processing limitation: You must justify why you are processing and capturing private information. Also, there should be limits in place as to what information you process and how much there is. You must have the consent of the party to whom the information belongs and any processing of this information should be compatible with the original purpose for which it was collected.
- Purpose specification: The data must be captured for a specific and justifiable reason and the party must be aware of this. A record must not be kept for longer than deemed necessary.
- Further processing limitation: Any further use or processing of information collected must be related to the original purpose of the information being collected.
- Information quality: All information collected must be correct, up to date and not misleading. This applies to backups too.
- Openness: In order to fulfil the openness condition, notification must be sent to the party whose information is being captured. The party must be able to view your name and/or company name and address, be informed of the reason why you are collecting this data, what the information is.
- Security safeguards: This is arguably the most important and actionable condition of the PoPI Act, specifically when it comes to IT and technology. Firstly you need to identify the data that contains personal information and treat it with care. Secondly all such information must be secured – and you must be able to prove that steps have been taken to do it in the most effective way possible. If there is a security breach, you must inform the regulator and the party whose data is affected.
- Data subject participation: The party whose information you have has the right to ask for any data that you have about them. They can also request that you permanently delete this information, or update it.
Allocate resources smartly
Businesses that have to comply with both the PoPI Act and the GDPR should ideally focus their resources on complying with the GDPR first – and then POPI. Both require a focused attention on every aspect of data processing within the enterprise environment. Apart from the governance aspect, IT has a critical role to play in PoPI and GDPR compliance. There are numerous public examples of how data breaches can (and do) occur, and the results can be ruinous for a business. One only has to look at SA insurer Liberty’s recent hack – which brought about costly ramifications for the multinational financial company. Indeed, the issue is no longer about having a firewall and good passwords. Data security now needs to be a company-wide practice, which is included in almost all policies and procedures, and supported by the right IT solution. The good news is that getting there will not only make you compliant – it will bolster your IT system and introduce new efficiency and agility to your business!