The Protection of Personal Information Act (“POPIA”) has been passed into law but awaits a date to be implemented – possibly 2020.
POPIA itself is short in length but devilish in detail. It certainly cannot be digested or implemented by way of a “one size fits all” approach. Each business needs to be audited for aspects where POPIA will apply to the business.
POPIA requires that any business proactively takes steps to protect personal information of any customer, employee or third party interacting with the business.
The consent of the person is required to be in place where any such information is used.
The identified areas where a business needs to take measures can be boxed separately into:
Information Technology – securing all internet portals and contact against hacking of information, website consent management, online marketing consent and retention of third party of information in digitised format.
Physical location where business is conducted from – measures required to be taken at the business premises to restrict access to personal information held by the business. This relates, for instance, to restricted access areas at the business as well the destruction of hard copy documentation.
Human resources – securing and destroying of personal information of employees, information relating to prospective employees following interview sessions.
Whilst most large corporations and financial services providers are POPIA proofing their operations, the same cannot be said of medium and smaller organisations. The exercise is complex and time consuming. Simply put, it will not be possible to implement the required controls at short notice and particularly when alarm bells are set off.
Some law firms have already invested considerable time and resources in training their selected professional and support staff to provide POPIA compliance implementation to business owners.
The advent of the Internet of Things (“IOT”) with its use by virtually every business for everyday communication needs and advertising their goods or services and the marketing and sales benefits led to the need to protect customers and third parties regarding their personal information.
Data sourced and held by a business relating to personal information is now touted as the new oil for profit utilisation by both marketing organisations and hackers.
Although preventing a data breach may prove impossible (as hackers are financially incentivised via a ransom demand or selling the data on the Dark Net) the Information Regulator will nonetheless examine compliance steps initiated by the business when assessing the severity of the sanction to impose.
POPIA provides for a fine of up to ten million Rand or a jail sentence up to ten years for non-compliance.
Business owners are urged to immediately place POPIA initiation on their urgent to do list.
Author: Guy Dakin