While South African businesses have had the opportunity to mull over the various sections and regulations contained in the Protection of Personal Information (POPI) bill since 2013, the signing of it into law by President Cyril Ramaphosa in June this year meant they had just 12 months from that date to fully comply with the Protection of Personal Information Act (POPIA).

POPIA has serious implications for organisations in terms of data collection, its management, its protection, its disposal and, of course, its security. Having said that, the Act could also present massive opportunities for those in the channel with the appropriate solutions and the means to implement them for their customers.

 

With many organisations still scrambling to meet the requirements of the Protection of Personal Information Act, 2013 (POPIA), it would be remiss not to ponder the far-reaching impact of the Act, says Andrew Hoseck, chief operating officer of In2IT Technologies SA.

Organisations have till 1 July 2021 to meet the Act’s various obligations, however, the process remains hugely onerous and will require considerable resources to successfully implement.

“That said, POPIA also creates the opportunity to simplify and optimise business operations and processes, embracing more appropriate and cost-effective technology solutions that provide short and long-term benefits,” Hoseck adds. “It can establish an infrastructure that is based on better data management and security.”

Hoseck says that a fundamental part of the Act is that during the process of collecting personal information, organisations must provide the requisite reasons for obtaining the data and, importantly, ensure that it’s shared with only authorised individuals.

“The use of personal data within an organisation needs to be meticulously managed within stringent parameters,” he says. “In essence, whilst employees work for the same organisation, they will not necessarily have access to the same data.

“For example, the finance department will be allowed access to information such as banking detail and IDs, while logistics will only have access to details such as a physical address for delivery purposes. Here, it becomes quite complex as how do you ensure that only certain information of an individual is provided to specific authorised departments and personnel.

“Also, and this is where it gets even more complicated, what about physical filing systems that store thousands of documents with a massive paper trail?” he continues. “Surely you can’t go through each file, allowing and redacting information per department – it will take a huge amount of time and manpower.

“There is a solid case for simplifying and modernising business processes. With the right technology solution, you can develop a complex matrix of what, when and why, and for what and put in place user level access parameters.”

Hoseck says POPIA requires organisations to uphold a high standard of information. “It is your responsibility, as the organisation, to ensure that personal data is accurate and recent,” he says. “Technology will play a major role in automating this process, ensuring that data is regularly updated.

“There will undoubtedly be education involved, as company customers and partners will have to be willing to update their information when a specific system, whether it’s an email or website log-in, prompts them to do so. In time, as the specifications of the Act become more well known, users could be more forthcoming.”

According to Hoseck, recent and accurate data lends itself to improved customer relations. “Companies will now have an accurate database that will, for example, ensure marketing initiatives reach the right audience with maximum returns,” he says.

“POPIA will see the establishment of a central data repository – integrated systems that obtain information from a primary data resource – one version of the truth, therefore,” he says. “People can also request that their personal information is removed. Also, organisations can be asked to disclose how the information is used and who has access to it. Having the information on hand through a dedicated and current central repository, will ensure that organisations can readily remove information or gain access to where and when the data is being used. This will go a long way in fostering an open relationship with customers.”

Hoseck says security forms a core part of POPIA’s requirements. “Organisations need to take a long hard look at their security – both physical and digital – and ascertain where weak points are and how they can be bolstered,” he explains. “Loss of physical equipment can be catastrophic which is why the same level of protection as personal data residing in the cloud must be applied, for example.

“Demonstrating how comprehensive POPIA is, how do you manage your daily run-of-the-mill acquisition of information?” he asks. “For example, how are visitors’ books managed, what happens to the recordings from the cameras and so forth. This applies to both visitors in the building and employees that are recorded on a daily basis.

“There is no doubt that POPIA has far-reaching implications, however, it also provides companies with solid regulations on how to update, streamline and secure personal information that benefit customers and the organisational operations,” Hoseck says.

Anelda Dillon, senior consultant at Bizmod, says that with companies struggling to come to terms operating within Covid-19 and lockdown parameters, the POPIA announcement in June may have gone amiss. She says a number of additional sections were added and will now come into effect which will no doubt influence the way we work going forward, and the way businesses will operate.

Dillon says that the global pandemic has already significantly changed the way we work by increasing remote working and it is expected that, for many, this will continue to be the norm in the future. For organisations this means that they need to prioritise a plan to focus on data access, information security and data management. In addition, the behaviour of employees has and will need to continue to change as engagement becomes more remote.

“This means that people’s privacy needs to be respected at all times without jeopardising the information protection controls that will need to be put in place,” says Dillon.

Organisations need to be aware that information privacy is more than compliance to POPIA as there are additional industry-specific regulations and standards that need to be onboarded within organisations. “The onus is also on the business to be aware of any protocols required by different countries if operating across borders,” warns Dillon.

Dillon provides the below tips for organisations to ensure sustainable compliance:

For all sections of POPIA to be successfully implemented the buy-in and commitment from the leadership team is integral.

The information privacy officer should be able to hold deputy information officers (heads of business responsible for information protection in their areas) accountable for their departments and business units’ compliance.

Functional and user-friendly processes, technology platforms and systems need to be created and implemented.

Creating aligned approaches across the organisation, especially relating to direct marketing, data subject, incidents and breaches.

Customer and third-party engagement strategies will need to be re-designed to meet the new requirements.

Alignment throughout the business, especially when it comes to big corporations comprising of multiple business units, departments, additional legal entities and branches.

Constant communication enforcing a culture of awareness and commitment to the safeguarding and protection of personal information.

“Many companies will be faced with the challenge of fostering a culture where employees feel connected while still adhering to the information privacy requirements,” says Dillon, “companies are going to become increasingly reliant on the integrity and establishment of trust with employees when working offsite and being required by law to protect information.”

Sarisha Kisten, attorney and MD of legal advisory Enyuka Consulting, says that with less than a year to achieve compliance organisations need to take proactive measures now to align with the guidelines of POPIA. However, she adds, they should note that the Act should not be seen as a burden, but rather as an important set of guidelines to safeguard both businesses and their customers.

Outlining key pieces of data protection and privacy legislation at a recent webinar – Europe’s General Data Protection Regulation (GDPR) and South Africa’s POPIA – Kisten says: “Compliance with data protection and privacy legislation goes beyond regulatory compliance, it’s about protecting your organisation’s reputation and people’s right to privacy.

“Personal data is a commodity which is often sold to data brokers. Whether people are using navigation services, adding their details to a Covid-19 registry, or using biometric access systems, they are sharing personal information – and it needs to be protected.”

Kisten says data breaches could have devastating consequences. For an individual whose data is stolen, it could result in them having to change passwords frequently, enact credit freezes, conduct identity monitoring – and possibly being defrauded.

For a business, it could negatively impact a business’s reputation through loss of brand value, loss of trust and, potentially, financial losses.

“The motive behind GDPR is to standardise privacy laws across Europe and protect citizens’ right to privacy – it is reshaping the way data is handled across every sector.”

She explains that the GDPR applied to any company that stored or processed personal information about EU citizens. If your business offers goods and/or services to citizens in the EU, then you will have to consider GDPR compliance. In addition, businesses will need to comply with GDPR even if they do not have a business presence in the EU, but do business with EU citizens.

“South African businesses are urged to examine GDPR in relation to their business operations to determine the applicability of the regulations,” Kisten says. Non-compliance with the GDPR could result in penalties which could be a costly mistake for businesses.

POPIA, which aligns with best practice legislation such as GDPR, commenced on 1 July this year and allows for a 12-month grace period until 30 June 2021 for organisations to comply.

Kisten explains that POPIA aims to protect personal information processed by public and private bodies, set conditions or guidelines on how personal information should be processed, issue codes of conduct to regulate certain industries and how they manage personal information, and provide for the rights of persons regarding direct marketing.

The Information Regulator is tasked with monitoring and enforcement.

Kisten says that, while POPIA makes provision for fines of up to R100-million and up to 10 years’ jail time, enforcement would likely start with a notice of non-compliance issued by the Information Regulator, and that time would likely be allowed for any non-compliance to be rectified.

Kisten adds that it is important for organisations to understand what was meant by personal information and processing: “Almost all South African businesses keep information about staff and customers, and very few will be exempt from POPIA,” she says.

POPIA will apply to any personal information that can be traced back to an individual – including photos.

“Non-compliance could be raised by a breach, in an audit by the Information Regulator, or in a civil case,” Kisten says. “Organisations need to be aware of the penalties, as well as the risks of reputational damage and losing customers and employees.”

Kisten recommends that organisations should move now to become compliant with POPIA and other best practice data protection and privacy laws.

She says the roadmap to compliance should start with the appointment of an information officer and/or a POPIA committee, and then go on to analyse all data processing activities within the organisation.

“Businesses must consider all facets of data processing in all divisions and all departments,” she says.

Organisations also need to train relevant staff on POPIA, she adds. “Awareness is important, because it brings about a culture shift.”

There is also a need for businesses to ensure that POPIA principles were integrated into contracts, procedures and terms and conditions.

“POPIA measures need to be implemented throughout the business, and policies and procedures must be continuously reviewed and updated to remain compliant,” Kisten says.