POPI is a critical aspect for all companies and compliance is essential. AVI MISTRY, gives his thoughts on how companies can remain POPI compliant, especially when issues like BYOD come into play.
Complexity and challenges in complying with POPI
Today, there are a number of risk factors facing CIOs and CTOs and these range from allowing employees to utilise their personal mobile devices for work purposes (BYOD), the move toward cloud- and mobile applications, as well as the outsourcing of services such as IT or call centre services. Another subject matter that has attracted the media spotlight and public’s attention of late is security concerns around customer information thanks to an increased number of privacy laws, most prominently the Protection of Personal Information (POPI) Act 4 of 2013.
The purpose of this act is to regulate the way in which personal information is processed and applies to every local business that collects, stores, or processes personal information including government, the banking sector, medical practitioners and organisations, retail businesses, as well as insurance companies. POPI touches every company and virtually every area of their business since all firms have personal data on their employees, client base, suppliers, and investors.
The nitty-gritty of compliance
South African organisations are expected to be fully compliant with POPI within a year of its enactment, which was on 27 November 2013. For businesses this translates into making sure that they have the correct security protocols set up and have assigned or hired additional employees to gather, secure and appropriately make use of personal information.
Companies that process personal information have to make sure that their clients know why they require this data and what it will be used for. Another consideration for businesses is that when an employee’s laptop or corporate-issued mobile device was stolen in the past, a company simply needed to have it insured and/or replace the stolen assets. Now, adequate security safeguards have to be put in place to protect data in the event of devices being stolen or lost. Password protection and data encryption are mitigating factors in preventing information being compromised in such cases.
Organisations that do not comply with POPI face hefty fines of as much as R10 million, potential jail sentences of up to 10 years, and also leave themselves open to civil law suits.
Thanks to POPI, South African citizens now have the ability to hold businesses accountable for the manner in which their personal information has been mishandled. Moreover, this bill should also act as a major deterrent to criminals such as spammers, scammers, and those who partake in identity theft or credit card fraud because there are huge penalties involved.
POPI is not the only bill on the protection of information block: companies also have to deal with the extra complexity of other legislation that relates to privacy when formulating their privacy policy. These include the Consumer Protection Act, Promotion of Access to Information Act, and the National Credit Act for instance.
Every South African company, as well as international firms doing business locally have to review the effects that POPI will have on their business so as to ensure compliance when the law goes into full effect.
* Avi Mistry, Head: Commercial & Government – South Africa at Intel Corporation
* Follow Gadget on Twitter on @GadgetZA