Businesses will face a rude awakening if they fail to put in place the reasonable measures to be PoPI compliant, with punishment that will vary from company to company; a fine of up to R10-million or jail time of up to 10 years. Not only are organisations, for the most part, far from prepared but many simply refuse to believe that PoPI, the Protection of Personal Information, will be enforced.
With potentially severe penalties, why is nobody talking about PoPI? Is it that they don’t believe it will be properly imposed, or is it a case of people sticking their heads in the sand? Or perhaps it’s that the task ahead looks too daunting?
Pansy Tlakula, former IEC chairperson, was announced as information Regulator in November last year, and organisations were then given 12-months to be compliant. The wheels of PoPI have started to turn, and time is running out for companies to make sure that sufficient measures are put in place to comply with the new legislation.
Two sectors who are most at risk of being fined if found to be non-compliant are the Financial Services and Medical sector as they deal most predominantly in personal information.
“Government won’t be targeted. They will be able to argue that to do any alterations in process and systems is like trying to steer the Titanic – it will take forever. But those most affected by PoPI are certainly financial and medical organisations,” says Drew van Vuuren, data protection officer (DPO) at ESET South Africa.
Consequences will depend on the scale of a breach. Says van Vuuren: “If a business has a system in place that is not mature, or done correctly – and if someone then decides to use a lost list for nefarious purposes – and the business at hand is seen to not have taken the relevant steps to prevent this, it could cost you your business. No matter who you are; a multi-national or a one-man-band, the expectation is that you take reasonable steps and put in reasonable effort.”
Intended to give effect to the constitutional right to privacy, PoPI’s main aim is to prevent the unlawful disclosure of personal information and to ensure that all South African businesses conduct themselves responsibly when collecting, storing and sharing personal information.
Determining what counts as reasonable steps may prove contentious, but businesses must start with the process, which is less daunting that it may appear – it starts from understanding what PoPI is, what measures you have in place, and what the actual impact could be for your business.
Here are five steps for your business to get a head start on PoPI:
You need to know what is required of POPI
It is important that you know what role you play in the context of POPI – if you are a responsible party, or an operator. A responsible party for example, is the person that collects the information.
“Mobile phone companies, as an example, would be a responsible party because when you sign a contract with them, they collect your personal information,” says van Vuuren, “A third-party service provider that may do billing for Vodacom would be defined as an operator – and the operator is expected to operate their business under the controls defined by the responsible party.”
Therefore, it is essential that first-things-first you understand the role you play within POPI.
Get a broad understanding of what personal information you hold
Information is not just personal information on individuals, it is also your juristic entity information. The business needs to get a proper understanding of what the information it currently holds or process on both parties.
Get an understanding of how you process the information
Do you use third-party applications, is there a limitation on who can and can’t access information? What is the actual information architecture around the data?
If you are providing third party access, have you got mitigating controls in place to ensure how they access the information is secure. Is it stored in a secure format, is it encrypted?
What would happen should I ever be compromised?
If you have a third-party supplier that are accessing or processing personal information on your behalf, what would be the impact to your organisation should there be some loss of fidelity to your personal information by the third party.
What controls do I need to implement?
Based on the answers to number four, you can then review what current controls you have in place, and what controls you need to put in place.
It is more than likely the regulator will make an example of a company or find a breach which they will have to act on, and then use the responsible organisation as an example. We ask the question: Do you want to be the business that the regulator decides to make an example of?