Lack of a data privacy culture in South Africa is resulting in most local businesses being ill-prepared for the impending implementation of a Protection of Personal Information Act (POPI).

This is according to financial advice firm Grant Thornton South Africa, which says widespread reforms are needed in the private and public sector for (POPI) to ensure that collected private data is protected.

POPI plans to bring the country in line with international data protection laws and help enact citizens’ constitutional right to privacy. The Act also provides strict guidelines on, for example, what data can be obtained, how that data can be used, and requirements on how it should be kept up-to-date.

Government gazetted POPI in December last year, and it is currently awaiting an effective date.

But Michiel Jonker, a director for IT advisory at Grant Thornton, says based on feedback received from the business community, he thinks most South African organisations are ill-prepared to implement the legislation.

And he thinks a lack of data privacy awareness is driving this ignorance.

“We see all the time how passwords and the like go unprotected. Security cameras record personal information without securing permission or issuing a warning to those affected. The African continent as a whole is not geared for this level of privacy protection - we’re in survival mode and some believe that we are therefore not in a space to implement this complex legislation yet,” says Jonker in a press statement.

“There are many experts such as IT security consultants we deal with every day who say that South Africa is not ready for POPI and that it’s not going to work. They say even some of the big corporate players are at different levels of compliance or not ready to implement it at all,” Jonker adds.

Jonker’s views; though, have been echoed by other experts in the country.

Last year, ITWeb Africa reported that South African information attorney and information security consultant Mark Heyink said that “in South Africa we are probably 30 years behind most of the European countries relating to the implementation of privacy law and the education of our citizens about the importance of the protection of their personal information.”

Heyink used examples such as subdued public reaction to a cyber-attack on a South African Police Service (SAPS) database, which exposed over 16,000 whistleblowers’ details, and the 2011 leak of South Africa’s Direct Marketing Association (DMASA) database, in which over 30,000 people who signed up for a “do not contact” list then had their details allegedly made known.

Concerns around POPI’s high costs

POPI, though, is intended to bring South Africa more in line with global privacy laws, and Jonker notes it has benefits such as compliance with international standards that could lead to greater investment opportunities.

But implementing POPI is expected to place significant cost pressures on big business because of an extra layer of administration that compliance requires, says Jonker.

Costs could include the employment of additional specialised personnel, including expensive and highly-skilled privacy officers, the contracting of IT and business auditing service providers; and the need for specialist legal consultants for the review of all existing agreements which the company has with third parties.

In addition, companies may also face multi-million rand monetary fines, civil claims and reputational damage if found guilty of POPI transgressions.

Lucien Pierce, legal partner from Phukubje Pierce Masithela Attorneys who collaborates with Grant Thornton on POPI matters, has also commented on this concern in a statement by pointing to a prominent example.

“Take Zurich Insurance as an example. The local subsidiary of the company experienced a data leak in 2008 in which they lost the data of more than 40000 clients when the South African branch of the company lost an unencrypted back-up tape during a routine transfer to a data storage centre. While the implication for the South African subsidiary was minimal, the UK’s Financial Services Authority imposed a 2 million British pounds fine on the UK office of the company due to the POPI-like legislation that was already in place in Europe,” said Pierce.

‘Several bigger businesses, though, are switching on to POPI’

Jonker says “many of Grant Thornton’s Johannesburg Stock Exchange (JSE) listed corporate clients have realised the magnitude of the administrative burden that the impending legislation presents.”

“We’ve had quite a response from our corporate clients who want to be ready when the legislation becomes effective. It’s important to look at this in a global perspective and not in isolation. Any compliance must take into account the prevention of data breaches; the detection of breaches if the preventative measures fail and the ability to repair breaches and affect damage control.”

Overall; though, Jonker says opportunities POPI create depend on how well South Africa’s public and private sectors embrace a culture of privacy.

“Once the culture is right all the other privacy measures will work. We need to start respecting the privacy of personal information. It starts with the tone of top management and filters to the mail room downstairs,” concluded Jonker.