The Protection of Personal Information (POPI) Act is the most pertinent new compliance challenge for FSPs, key individuals, representatives and your employees.
Informed by South Africa’s constitutional right to privacy, the Act sets the minimum standards for and enforces the protection of personal information. It regulates how personal information should be responsibly processed and managed, and what your business can do with personal information.
Processing personal information includes collecting, storing, using or making available, as well as distributing and disseminating personal information data. Personal information includes a person’s name, ID number, address, phone number, marital status, biometrics, banking information and health-related information. Data related to economic status, as well as opinions linked to politics, culture or religion count as personally identifiable data. The Act also applies to the information of juristic persons, such as companies, organisations and government institutions.
Your FSP as a business and all your employees who collect, receive, record, organise, retrieve, use, disseminate, distribute or make such personal information available have certain responsibilities in terms of the Act. These include:
- Getting consent to collect the personal information and process it.
- Confirming a valid reason for collecting specific personal information.
- Being transparent about how the personal information will be used.
- Destroying or deleting the personal information if there is no legal reason to keep it.
- Keeping the information up to date.
- Storing the personal information safely and only for as long as allowed.
- Knowing who accesses the personal information at all times and ensuring it cannot be accessed by unauthorised persons.
- Safeguarding the data from breach.
- Notifying individuals and the regulator in case of a breach.
POPI Act compliance is about meeting the requirements of the Act, but also about reducing the risk of a breach. You will need to assess what controls are required and in place, and if these controls reduce the risk of a data breach.
Deadline and penalties
The deadline to comply with the POPI Act is 1 July 2021. It is vital to fast track your compliance implementation, as failure to comply with the requirements may have dire consequences. Sections 59 and 100 – 106 of the POPI Act deal with instances where parties may be ‘guilty’ of an offence.
The most relevant of these offences are:
- Any person who hinders, obstructs or unlawfully influences the work of the Regulator.
- Hindering or not respecting warrants issued in terms of section 82.
- Failure to comply with an enforcement notice served by the Regulator.
- Offences by witnesses, for example, lying under oath or failing to attend hearings.
- Unlawful processing of account numbers.
- Not obtaining prior authorisation from the Regulator to process personal information addressed in section 57.
Section 107 of the Act details which penalties apply to respective offences, to be imposed by a Magistrates’ Court. The penalties for more serious offences is imprisonment for up to 10 years or a fine, or both. For less serious offences, the penalty is a fine or imprisonment for up to 12 months, or both.
Section 109 details administrative penalties the Regulator may impose through an infringement notice. These fines can run up to R10 million.
Other costs and risks
While it is important to comply with the POPI Act and its regulations to avoid harsh penalties, there are other risks involved too. Addressing a breach and related investigations is an administrative and legal nightmare. International statistics indicate it can cost a business millions to manage the consequences of a data breach. Up to 30% of small businesses go out of business as a result.
Secondly, the media loves reporting on data breaches. This can have significant reputational risk implications. Some of the data breaches that recently occurred locally and globally are:
- Experian
The personal information of up to 24 million South Africans and nearly 800 000 businesses was compromised in 2020. Individuals’ personal information exposed included cell numbers, home and work phone numbers, employment details and identity numbers. The company information that was exposed included business names, contact details, VAT numbers and banking details.
According to Experian, the data was on a third-party data sharing site on the internet, hosted in Switzerland. The third party has disabled the links and the data has been removed. Experian informed the Regulator of the breach on 6 August. The breach was a result of a ‘fraudster’ approaching Experian as a representative of a legitimate client. Law enforcement was notified of the breach and an Anton Pillar order was executed. The ‘fraudster’s’ hardware was confiscated, and the data was deleted.
- Microsoft
There was a security breach through hacking email client servers earlier in 2021. At least 60 000 Microsoft business accounts were breached in this cyber-attack. The victims included many small to medium size businesses, but also several large entities such as the European Banking Authority. Personal data related to the emails compromised may have been breached.
- Marriott Hotels
Marriott’s global guest reservation database was hacked in September 2018. It contained the personal information of more than 300 million people, including their credit card details, passport numbers and dates of birth. Marriott was given a proposed fine of $123 million.
Attackers exploited a vulnerability in Facebook’s code between July 2017 and September 2018 and stole the tokens of 30 million people. Personal information exposed included name and contact details, username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education and work. It also included the last 10 places the users checked into or were tagged in, their website, people or pages they follow, and their 15 most recent searches.
- US Commerce Department
The US Treasury Department was breached and hackers may have broken into other government agencies as well. The hackers may have monitored staff emails at the agencies for months. The affected bureau at the Commerce Department was the National Telecommunications and Information Administration.
Gmail users were warned about a potential data breach after Google services went down for millions of people across the world. It was reported that hackers may have sabotaged Gmail, which has more than 1.5 billion global users.
- Liberty Holdings
Liberty had a server data breach in 2018, which could result in Liberty Holdings facing a civil lawsuit from its clients or even fines. Information Regulator chairperson Advocate Pansy Tlakula said the POPI Act, when finalised, would enable them to investigate the data breach.
- Absa
An Absa employee unlawfully made selected customer data available to external parties in 2020. The bank has laid criminal charges against the employee.
Staggering amounts of data have been hacked during 2020, according to Security Magazine, which has reported the top 10 data breaches of 2020. Selling personal information can rake in a lot of money. Although large corporates are in the news for data breaches, the reality is that FSPs also have client information that can be sold on the dark web.
What to do
You will need to review and adapt your systems, processes and governance policies to comply with the requirements of the POPI Act. You can also aim to use the POPI Act to enhance your practices and gain the trust of clients and stakeholders.
By complying with the POPI Act, your business will demonstrate your adherence to Section 14 of the Constitution: the right to privacy. It will also show you are committed to protecting clients’ and stakeholders’ personal information and that you have implemented effective breach risk management. Ultimately it will reflect your business’s good corporate governance.
Masthead has developed a detailed methodology and various tools and templates to help you with your POPI Act compliance process. This will assist you to meet the Act’s requirements. Get in touch with us for more information.