It is critical to proactively implement the requirements of the Protection of Personal Information (POPI) Act – and Data Privacy Management in general – as all processing of personal information must comply to the Act by 1 July 2021.
Postponing POPI Act compliance planning and implementation is a high risk, considering how seriously data breaches are viewed elsewhere in the world. Among recent penalties issued, the IOC fined Marriot International £18.4 million for failing to keep customers’ personal data secure. Civil claims based on data breaches are also increasing internationally. Liabilities for data breaches in South Africa could be equally severe.
A principle-based act
There is a misconception that a simple rules or templates-based ‘tick box’ compliance approach is sufficient to manage the requirements of the POPI Act. The POPI Act is principle-based and as such, it requires you to think about your business and apply the relevant requirements specific to your business. This includes reviewing and implementing business policies and processes that would protect clients, employees and other business stakeholders from potential harm caused by a breach.
International guidance and elements of effective Data Privacy Management
Reviewing and adjusting your policies and processes is in line with international best Data Privacy Management practice. The South African Information Regulator closely follows international trends and practices, as the POPI Act intends to “regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests”. We should hence consider lessons learnt from implementing similar legislation and regulations elsewhere, such as the well-established EU General Data Protection Regulation (GDPR). International best practices and standards for Data Privacy Management advise managers and implementers to incorporate it into business culture, policies, strategies and daily operations. Effective Data Privacy Management therefore includes good corporate governance and effective legal, policy, risk and compliance management, systems and process assessments, communication, training and awareness. These elements apply with equal importance, irrespective of the size of your business.
Policies and processes should be documented and implemented to ensure consistent standards and then reviewed regularly to ensure they remain relevant. The review process helps to identify gaps and where possible breaches of personal information may occur.
These policies and processes are typically documented in an Operations Manual. This acts as the authoritative guide in the business and is used for ongoing training and awareness.
More than information security
Information security is part of the core of Data Privacy Management. But POPI Act compliance entails much more than just addressing information security or the threat of cyber-attacks. It is about pro-active, inclusive and ongoing risk-and-opportunity management. Many of the risks relating to breaches lie in business operations, with the everyday processing of personal information, often by junior employees.
Understanding how you process personal information is critical. ‘Processing’ is defined widely in the Act as:
“any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information.”
Effectively reducing and mitigating the risk of breaches in business procedures and processes is one of the most critical, underestimated and potentially time and resource consuming aspects to address.
The end of the ‘grace period’ is upon us
Enforcement of compliance to the requirements of the POPI Act was postponed until 1 July 2021.
When asked if the grace period will be extended, a representative of the Information Regulator responded with an emphatic “no” on 4 November 2020. It is therefore important that you prioritise your POPI Act compliance sooner rather than later.
Solutions and assistance
It is important that solutions that addresses POPI Act compliance should be cost-effective and user-friendly.
Masthead is committed to supporting your POPI Act compliance journey and has carefully developed guidelines, tools and experienced specialists available to assist you. Contact us for a free Status Quo and Needs Analysis discussion about your POPI Act compliance.
For more information on our POPI Compliance offering, click below: