How to be sure that your company is ready for POPI
The days of organisations collecting and selling private user data to third parties in South Africa are numbered, and that's a good thing for our privacy concerns.
With parliament soon to implement the Protection of Personal Information Act (POPI) - and demonstrating a will to empower POPI regulators with the power to enforce harsh penalties - it's critical for all organisations that collect or process any citizen's personal data to ensure they are prepared. The penalties for non-compliance with POPI may include fines up to R10 million and up to a decade in jail for the individuals responsible for failing to adhere to the new law.
Arguably even more potentially harmful to a company is the reputational damage a business found out of compliance could incur with the public, as users cease to trust that entity with their personal information. As POPI is wide reaching and places sophisticated requirements on the handling of data, organisations must examine their processes and put in place practices and supporting technology that matches the law's demands.
The law, enacted in November 2013, contains several provisions with which an organisation must comply. Organisations must now define their purpose for collecting an individual's personal information and inform the individual of that purpose, and the individual must consent. If a company wants then to use that information for a purpose other than what was originally stated, it must ask for consent anew. Individuals have legal standing to object to their information being processed, and can request to access their information, correct it or have it removed.
A business will be held responsible for its treatment of data even when another company processes the data for it. Personal data on an individual is required to be kept complete, accurate and up to date. To fulfil POPI's requirements of how information is handled, organisations must have policies in place for information protection, retention and destruction when appropriate. All personal information must be destroyed once the original purpose for which it was collected is achieved, so holding on to personal data longer than you need to could present a risk.
Lastly, organisations must show specific security measures that protect the confidentiality and integrity of the personal information they hold, they must monitor and update that information, and they must notify regulators and any affected individuals in event of a data breach.
The wide reach of POPI means that every organisation should take stock of the information it collects and gain an understanding of how POPI may alter its practices. Industries involved with more sensitive personal information, such as health care, insurance and finance, must take special care with the security of those records. POPI considers certain kinds of personal data 'special information', including an individual's religious or political views and his health status. A special case is also made under POPI for bank account numbers. This kind of information is subject to more strict protection.
Safeguard or destroy
Organisations preparing for POPI should first know the individual's data they have in their possession, and then take measures to safeguard or destroy that data as appropriate. Any data kept must be appropriately safeguarded and policies should be adjusted to maximise protection from data breaches. Technical controls, such as data/device encryption, will help. Companies must make themselves ready with such technology to protect any data they take into their possession securely and to be practical to focus such efforts on the device most mobile and, therefore, most at risk of loss and theft. These solutions must function across all hardware and devices across the company to be effective.
Cloud-based technology that tracks the location of all mobile devices within an organisation and can remotely control data access, quarantine devices, and fully wipe data when necessary can be a powerful addition to encryption safeguards. The visibility that such tools provide can also be used to provide the notifications and reporting of compliant data security practices that regulators need to see demonstrated, a so-called 'POPI receipt' for a lost or stolen device.
In the end, the boon to personal privacy and the chance for organisations to prove themselves worthy of public trust make POPI a welcome change in the law. Companies that actively welcome the challenge of adjusting their practices to meet POPI's requirements may well earn a competitive advantage by establishing their adeptness at protecting personal data to the marketplace.
Be simple and practical in your approach to start with, then build up your compliance from there as it will be impossible to be fully compliant with POPI once the law commences.
About Amit Parbhucharan
Country Manager at Beachhead Solutions, Inc.