The POPI legislation ensures that companies of all sizes around South Africa need to implement measures to better secure their customer’s personal details. For many SMEs, this can be quite a headache and rather costly. DARYL BLUNDELL, GM of Sage Pastel outlines a few steps that will help companies become POPI compliant.
As if you needed something new to worry about, a piece of legislation called the Protection of Personal Information (POPI) recently came into effect in South Africa. This data privacy law means that it’s more important than ever for you to ensure that your data and information systems are secure from breaches and leaks.
POPI essentially seeks to protect people’s privacy by regulating the ways in which their personal information is stored, managed and processed. In addition to complying with a range of rules that govern how you obtain and use customers’ personal information, you also need to take reasonable steps to secure it. You might face a fine if this data is stolen or leaked.
Personal information includes employee and customer data such as cellphone numbers, ID numbers, and personal addresses.
Preparing your business
If you have not started doing so already, now is the time to align your data security policy with the criteria of the Act. Here is a step-by-step guide:
· Identify existing customer information and who has access to it.
· Review the processes through which you collect and process personal information.
The information you collected and stored before POPI is also subject to the new Act, so it might be necessary to securely discard it if you cannot migrate it onto technology platforms that meet the law’s requirements. In practice, your core business solutions probably keep customer data in well-identified locations such as structured databases, so it is relatively easy to meet the POPI Act’s requirement to “apply reasonable security measures” to safeguard the information.
This would include common sense rules such as protecting customer data with strong passwords and encryption, and restricting access to the most sensitive data to the people who need it. Managing unstructured information such as call centre voice logs, Word documents, and paper-based documentation might be more challenging.
Keep it in the cloud
One way to handle POPI is to use cloud applications provided by a reputable service provider. Most major service providers and software companies will already have data security standards and technology in place that meets POPI’s needs.
This is more secure and usually cheaper than trying to handle all the information security yourself – a good provider will have strong encryption, high-end firewalls, and other solutions in place. But be sure to ask each provider about compliance and look carefully at how your providers based in other countries manage and secure your data.
The biggest challenges will be around culture, company policy, and end-user behaviour, since the enabling technology is fairly simple to implement. The challenge isn’t encrypting data or enforcing strong passwords, but getting your employees to understand why they need to follow security policies that may seem annoying and time-consuming.