South Africa's parliament voted recently to appoint an Information Regulator and the National Assembly voted in favour of the nomination of the five candidates to run the regulator. On 26 October 2016, a government statement confirmed the appointment of Pansy Tlakula as full-time member and chairperson of the Information Regulator, along with other newly appointed officials, effective 1 December 2016.
Their appointment indicates that the Protection of Personal Information Act’s (POPI's) remaining provisions coming into effect is imminent. Once the final provisions have been signed into law, companies that deal with personal information will have a grace period of one year within which to comply, with a possible extension in some circumstances to three years.
The legislation has a wide reach across businesses of differing sizes across many sectors: if companies gather, receive, hold or share information about their consumers/customer base, they will be affected, including, but not limited to, ID numbers, company registrations numbers, email addresses and physical addresses.
This information and how it is handled will require a complete rethink for most companies. POPI states that companies can only collect information required for specific purposes and that how the information is stored and disposed of must be strictly controlled. The latter is of great importance – not only must information be kept up to date; it must be decommissioned and disposed of once no longer needed. In addition, the person whose information is being held must be able to access it if necessary.
Challenging year for contact centres
In the contact centre environment alone, where the entire operation relies on this kind of information, it is easy to see that a year is going to be a challenge for it to be able to upgrade the technology and business processes in order to comply with POPI.
Companies will first have to see what they are storing, how it is being stored and what they are using it for. This will require business analysts’ input, even before a strategy can be implemented to facilitate the change to compliance. Then business processes will have to be developed that can aid companies in this without undermining their current workflow. Depending on the size of databases, this is no small task. Additional hardware or software may also need to be considered, depending on the requirements.
Given that companies allocate their budgets per annum, it may already be too late for them to shift budget allocations to this process, and there will be significant costs, depending on the state of their contact centres. Older, legacy contact centres may have to have a complete overhaul, while others may be able to implement business solutions that align with their existing technology.
It is not a finite process, since POPI requires ongoing monitoring. The Act requires that an information officer be appointed to establish procedures and maintain them to ensure that data handling from start to finish is done in compliance with legislation.
Ultimately, the legislation will benefit both customer and business; the customer will be more secure in the knowledge that POPI protects his or her personal information and, if done correctly, businesses will have far more efficiency in the ways they handle data.
It is time to start considering the logistics, should legislation be rolled out in 2017. Only the most agile companies will be able to adapt and comply, with less disruption to their workflow and their general operations.