SA's POPI Act - avoid compliance at your peril warn experts
SA's POPI Act - avoid compliance at your peril warn experts
As South Africa draws closer to full implementation of the Protection of Personal Information (POPI) Act, an expert on the piece of legislation has urged businesses within the country's borders and in the region as a whole to ensure that they are compliant with the data governance requirements the law will impose.
Drew van Vuuren, a Johannesburg based independent consultant says last month's appointment of an information regulator who will oversee adherence to the law means that time is running out for companies that will be affected by the piece of legislation.
"Former IEC chairperson Pansy Tlakula has been appointed to lead the regulator but that does not mean that POPI has become effective. It will only become effective once the department of justice ratifies it and the expectation is that that will happen in the first sitting of parliament next year. We are expecting the law to kick in during the first quarter of 2017. The law expects entities that gather personal information to take reasonable steps to secure the information and make sure that it is processed in a way that protects the rights afforded to the individuals."
Van Vuuren says determining what counts as reasonable steps may prove to be contentious, but businesses have to start with the process.
"Generally accepted definitions of reasonableness refer to what makes business sense for your specific organisation. There is no need to go out and spending hundreds of thousands on technology. A lot of the vendors will present solutions that they say represent a silver bullet for businesses, but there is no point in taking them up is they are not relevant for your business. Organisations have to combine technology, people and process in order to be compliant with the law. You need to know what designation the type of information you collect has been given in terms of the Act before attempting to comply. A lot of the larger organisations like insurance companies and financial services companies have been working on compliance for years, but because it is such a monumental shift on how we handle data, it takes time. The first step is to get a handle on the information your company processes while considering how your outsourcing partners also handle theirs."
Steve Flynn, Director of Sales and Marketing at ESET says their attempt to act in line with the new law has proved to be complicated.
"From ESET Southern Africa we decided as a board about two years ago to start the whole due diligence process around POPI compliance and risk mitigation and I can tell you it is not a piece of cake. Drew is our lead consultant on that and it is serious commitment from the top to the bottom of the business. We are probably a third of the way through and that is after two years. It has fundamental effects on your business, the way you store data, the way you process it etc. It is pervasive through your entire business. It is not going to stop and business owners need to understand the risk of non compliance."
Van Vuuren concludes by emphasising that risk and good governance as required by the POPI Act is applicable across the continent as whole.
"To my knowledge the only other jurisdictions that are busy drafting this type of legislation are Kenya while Ghana almost took our POPI Act verbatim and submitted that for ratification. I know that a lot of countries in West Africa have not got there yet. A lot of the drivers for data governance can be interpreted in terms of ISO 270001 which is an international standard - so if you apply the ISO controls it will apply anywhere. It is very difficult to measure the cost of the process but training staff should not be costly as it can be done through HR. The cost of compliance is a different kettle of fish depending on the profile of a business. It hard to determine. Businesses need to start the process by making that kind of assessment."