Businesses who have taken the view that POPIA (Protection of Personal Information Act) compliance will not affect them or it is simply an IT issue that is an impediment to the organisation, will soon realise that their ill-advised approach is in contravention of the law.
As of July this year, all businesses are required to provide confirmation verifying the practices and procedures they have in place to protect personal information kept in their possession or by a third party on their behalf. The POPIA, which has been modelled on the European Union’s General Data Protection Regulation (GDPR), affects all businesses.
Some business owners are of the view that becoming POPIA compliant is burdensome and complex, often seen as an unnecessary distraction and red-tape with added operational costs. However the stark reality is that we operate in a global environment with cyber-crime becoming increasingly prevalent in our daily lives.
Privacy regulations have evolved around the world, and the movement to compel companies, especially data companies, to account on management of personal information has taken hold.
POPIA has been designed to protect personal information by ensuring that public and private organisations adhere to the regulatory environment and global best practices. The onus is on the business to ensure it manages data in accordance with the Act.
This does not necessary mean that there has to be a wholesale re-engineering of processes but simply a formalisation of operational best practices.
Businesses have to consider what information do they possess of an individual (or data subject), how long it is necessary to keep this information and how do they safeguard the information against unauthorised access by third parties. In addition, an individual has various rights including the right to removed from a list.
The processes to govern and administer data becomes an integral part of a business – a responsibility shared between business owners and IT departments.
However one of the most significant aspects of POPIA is the management of personal information where a data subject may be uniquely identified. The onus is on the business to provide proof that it has consent from the data subject. GDPR requires that the consent is unambiguous and must be given by a clear affirmative act. Whilst the Information Regulator has yet to provide clarification on the POPIA interpretation of consent, it is likely to be in keeping with the GDPR. With considerable penalties in place, businesses cannot afford to be non-compliant.
One of the myths about POPIA is that the threats are predominantly external and anonymous. Businesses often view this as the domain of hackers in some remote location who is unlikely to be interested in “my organisation because our information is not that valuable or significant”. However, the rapid emergence of ransomware as a significant threat to businesses, irrespective of size places greater value to operating within an regulated environment.
However, it is more likely that the conduct of employees poses the greatest risk to the businesses. Employees inadvertently sending emails to incorrect addresses or accessing compromised websites on company networks may result in an accidental breach. Compliance starts from within, ensuring that employees are aware of -and trained on the significance of data protection and compliance in terms of the POPIA.
POPIA will gain momentum as all businesses will require suppliers, partners and customers to be compliant, especially where they are affected by GDPR. POPIA compliance will have a chain reaction and the weakest link, those being non-compliant, are likely to be removed from the company databases.
Becoming POPIA compliant is the right thing to do. It demonstrates your organisation’s commitment to data security and privacy.