Subscribe
  • Home
  • /
  • TechForum
  • /
  • POPI - to Act or not to Act? That is the question...

POPI - to Act or not to Act? That is the question...

There is no official indication of when the Act will be fully enforced, or if any progress has been made in appointing an information regulator, says Alison Treadaway, MD of Striata.


Johannesburg, 02 Mar 2015
Alison Treadaway, Managing Director at Striata, South Africa and Director, Striata Communication Solutions.
Alison Treadaway, Managing Director at Striata, South Africa and Director, Striata Communication Solutions.

Fifteen months after the Protection of Personal Information Act (POPI) was signed in Parliament (November 2013), there is still no official indication of when it will be fully enforced or even if any progress has been made in appointing an information regulator. In his State of the Nation Address on 12 February, President Jacob Zuma did not even mention this business-changing Act, which was so heavily in the spotlight in 2013.

Says Alison Treadaway, Managing Director at customer communication management specialist, Striata: "Organisations that process customer data, either of their own, or on behalf of other companies, may feel safe opting for a 'wait and see' approach. After all, once the full Act is enforced, we are expecting a grace period of one year before organisations have to comply."

However, Treadaway says there are areas of compliance that will not be achievable in a one-year period, so organisations should already be addressing them.

Can your business afford to wait?

"Whether or not your business can afford to wait and see is really dependent on your scale:

* The number of employees you have;
* The number of data subjects whose information you hold;
* The number of processes that consume data in your workflow;
* The number of suppliers you have who touch your data; and
* How solid your information security is, and so on...

"Businesses with large numbers of any of the above will not be able to make the required changes in one year, especially since changes, in some cases, need to be made both retrospectively and going forward," explains Treadaway.

Treadaway says a business needs to evaluate its gaps in each of the primary affected areas and then determine whether the changes required to reach compliance are achievable in a 12-month time-frame. As a starting point, she recommends reviewing the following key areas:

Employees

Every organisation has employees. The size of your employee base and how much attention you've paid to where, why and how long you store information about employees will determine how much work is required to achieve compliance.

You will have to complete a review of how the following records are managed:

* Performance reviews;
* Disciplinary documents;
* Remuneration information for employees;
* CVs, criminal/credit checks; and
* Offers for candidates you've interviewed.

Legal

Contractual agreements that include the gathering and processing of personal information of employees, customers, partners or vendors will need to be reviewed or appended to cover the required data clauses. For example:

* Employee contracts need a clause giving consent to store and process personal information.
* Customer contracts require the same as above.
* If you share your customers' personal information with a service provider (such as a WASP or ESP), your vendor agreements need to align with your contractual obligations to your customers.

Processes

Your customer/vendor/employee acquisition processes need to be amended to include information about a data subject's rights, and to record consent for processing. You will need new processes to handle queries about personal information regarding where you got it, if you have consent to use it, if it is accurate and complete. And, perhaps most important, you will need processes to appropriately manage a data breach.

Security

Ensuring that personal information entrusted to your organisation is safe requires security on both a physical and technical level. This means identifying and securing every filing cabinet, desk drawer, server, mobile device and desktop on/in which personal information resides. It also means understanding who has, and who should not have, access to those locations, plus the ability to manage access permissions and audit trails.

Training

Everyone in your organisation has to be trained on the new processes and security measures. Depending on the size and distribution of your staff, this may be a small or a mammoth task. But it's not only about training, it is also about ownership of the requirements at all levels of the organisation. These interventions will be easier for organisations with C-level buy-in and the right company culture.

"Businesses of a certain size may be able to park some of the changes until the Act comes into force. But most should be preparing in the areas which require exceptional investment (security) or large-scale change management (training). And any business that is classified as an operator* should be way ahead of the game in terms of both their own compliance and advising their clients on what is required. There is no question of an operator waiting until the Act is fully enforced," concludes Treadaway.

*A person/company that is contracted to process personal information for a responsible party, but is not under direct authority of that party. So your digital agency, WASP and print provider are all considered operators, as they process personal data on your behalf.

Share

Striata

Striata unlocks the power of e-mail and mobile messaging.

Its electronic delivery solutions dramatically increase customer adoption of paperless bills, statements, policies, marketing and other high-volume system-generated documents.

The world's largest financial services, utility, insurance, retail and telecommunications companies achieve unrivalled results by replacing print and mail with Striata's interactive electronic documents and transactional messages.

Striata's enterprise platform, strategy and support services:
* Drives significant paper suppression;
* Delivers ongoing cost savings;
* Accelerates payments;
* Enhances the customer experience; and
* Enables regulatory compliance.

Striata's comprehensive solutions expand the digital dialogue through personalised customer life cycle messaging, retail receipts, notifications and alerts.

A global paperless communications specialist with over a decade of experience, Striata has operations in New York, London, Johannesburg, Hong Kong, and Sydney, and partners in North and Latin America, Europe and Asia Pacific.

Alison Treadaway
Managing Director at Striata, South Africa and Director, Striata Communication Solutions

Alison Treadaway is a director at global paperless communication specialist, Striata. In addition to running the African region, she is involved in defining strategy, improving business efficiency, nurturing organisational culture, promoting employee wellness and mentoring talent.

Treadaway has 18 years of experience in the ICT sector, having worked at Internet Solutions and Dimension Data prior to joining Striata in 2002. She holds a Bachelor of Arts (Languages, Wits) and a post-graduate diploma in business administration from Wits Business School.

As the custodian of Striata's organisational culture, she is particularly interested in protecting and enhancing Striata's stories, traditions and unique approach to achieving success. To this end, she interviews 90% of approved candidates to ensure Striata's work ethic and social culture will continue to thrive as the organisation grows.

Editorial contacts

Marketing
Striata
marketing@striata.com