Several companies are hanging back on privacy systems, as government has yet to designate an Information Regulator to make sure SA's privacy law is properly implemented and policed.
The Protection of Personal Information (POPI) Act was signed into law about 18 months ago by president Jacob Zuma, but its stringent provisions around how consumers' data must be protected, accessed and stored are currently of no effect.
This is because the presidency has yet to appoint an Information Regulator. This delay - from November 2013 to now - comes at a time when cyber leaks and hacking threats are on the up globally, with SA being no exception.
Under the new law, companies face a fine of up to R10 million - or a decade in jail - if they breach its provisions, and could also encounter civil class-action lawsuits. However, the most damaging penalty will be reputational damage, because organisations will have to inform people if their data has been breached.
Waiting game
Elizabeth de Stadler, director at Novation Consulting, explains the law will only come into effect once Zuma has announced a date, and companies will then have between one and three years to comply.
Daniella Kafouris, an associate director at Deloitte & Touche, says there has been no official communication as to when the law will be in place. "We still expect the compliance start date to be published this year as there are further cyber security and cyber crime regulations that will be implemented in South Africa over the next few years, thus POPI will need to work in tandem with these."
However, De Stadler - who recently co-authored a book on the Act - believes it is unlikely an effective date will be announced before an Information Regulator is appointed. She notes there are instances in which laws have come into effect before the regulatory office is set up, such as the Consumer Protection Act. "I don't know why it [the appointment] has not happened yet."
The Department of Justice is the overseeing entity, notes De Stadler, although Kafouris says the presidency needs to appoint a regulator.
Neither the presidency nor the department were available to comment this morning.
No certainty
De Stadler notes the delay means companies are uncertain as to how to time their compliance. Under the pending law, companies may only contact customers for specific purposes, and POPI is likely to eliminate a large amount of spam because of this requirement. "Become too compliant too early, and you may lose a competitive-edge against your less scrupulous competitors."
While many companies are adopting a "wait and see approach", others - who make their money out of data - are also preparing, says De Stadler. For consumers, however, the lack of transparency is the biggest obstacle standing in the way of exercising their right to control their own information. "You can hardly complain about something you don't know about."
Kafouris concurs that many organisations have started addressing POPI compliance concerns, but adds "a great deal of organisations have also downplayed the compliance requirements". She notes those entities, when they get to the granular detail, realise a well thought out strategy could have cut the costs dramatically.
Share