This is according to Garth Watson, a director of the Cape legal firms, Gunstons Attorneys and the Environmental Law Consultancy.
Watson stressed that POPI (as the Act is now known) will bring South Africa into line with the most advanced European legislation already in force to protect personal information.
"The new Act," he said, "is designed to prevent the use of client contact details or information for any purpose other than that for which it was originally submitted.
"For example, if I give my email address or my cell phone number or details of my income, my health, my home or my hobbies and pastimes to an insurance or investment company, a medical aid group, an estate agency, a bond originator, a firm of attorneys or any other body, those passing on information without my express consent will now be acting contrary to the provisions of the Act - even though I might personally have no objection to this process taking place."
South African companies and organisations, said Watson, are being given one year from the date of the Act's enactment to ensure compliance with POPI. Companies should, therefore, he says, now be putting systems in place to prevent the disclosure or dissemination of personal information and those systems must comply with the Information Security Management Systems (ISMS) that are certifiable in terms of the ISO27001, the international standard for ISMS.
"Companies which handle personal information should use a certificated auditor who is fully au fait with the POPI Act and its potential implications," said Watson.
Watson added that POPI has become essential because any high income earner today is liable to be bombarded via the electronic media with information and advertising for which he or she never asked. "I have always wondered where these spam marketers get my cellphone number," he said.
The challenge in the coming year, said Watson, will be for the IT companies involved in the field of server and web hosting to develop systems which are genuinely foolproof and "hack-proof", especially those which offer cloud computing services.
"Their clients will now want full reassurance that personal information stored on these servers is protected in terms of POPI. However this will not be easy to achieve and probably means that companies which are strong on the IT side and which use IT service providers with a certified ISMS will gain by being ahead of others in being able genuinely to guarantee confidentiality."
Watson added that difficulties could be experienced by companies which make use of cloud computing such as Dropbox, Google Drive or any other cloud solution where personal information is stored off-site, and possibly even internationally, on servers owned and managed by foreign companies and not subject to POPI.
In the coming year, said Watson, it will be essential that the contracts drawn up by IT service providers be checked by legal experts fully informed on information security.
"Personal information is no longer stored on the premises of the company liable in terms of POPI, but with the servers of the IT company. A company's compliance with POPI will, therefore, depend entirely on compliance with POPI by its IT service provider."
Companies and law firms which are able to implement ISMSs and ensure that their clients comply with POPI and that they are contractually protected against non-compliance by IT service providers will find themselves very much in demand, said Watson.
For further information, contact Garth Watson on +27 (0)21 702 7763.
