While the Protection of Personal Information (POPI) Act makes South African companies globally competitive in terms of international data exchange laws, the additional cost burden of complying with the law is likely to cripple many smaller businesses.
That was the main sentiment shared by speakers during a roundtable discussion on the POPI Act held recently in Johannesburg.
The POPI Act was signed into law by president Jacob Zuma in November 2013, and promotes transparency with regard to what information is collected and how it is to be processed. The new law is about to come into effect after the Department of Justice announced it would start the ball rolling for the appointment of an Information Regulator. The appointment of the regulator was one of the main issues holding up the new law.
During the roundtable discussion, most speakers were in unison that embracing aspects of the POPI Act can translate into a competitive advantage for businesses. The speakers noted POPI has already had a hugely positive impact on business as it has prompted most organisations to assess how robust their systems and processes are - and ultimately their ability to store and process data securely.
Double blow
However, they were concerned about the impact POPI is likely to have on small businesses and ultimately, the economy.
Wayne Mann, group director for risk at The Unlimited, a financial services provider, said while larger corporates will, in all likelihood, be able to absorb the cost of compliance and have the resources necessary to implement POPI's requirements, the additional cost burden is likely to hurt SMEs.
"Their only option will be to pass the cost of compliance onto their customers which may compromise the affordability of their products or services and, ultimately, the sustainability of their businesses," Mann said.
According to Mann, it's not only the cost implications of POPI that are sounding the alarm bells for small businesses. He pointed out POPI is delivering a double blow as it will also impact their ability to market cost-effectively - particularly those businesses that depend on electronic marketing.
"Imagine a small company that relies on e-mailing monthly specials to its 10 000-strong database - which, in turn, generates sufficient revenue to sustain the business," Mann explained.
"POPI will outlaw this form of electronic marketing unless people on their database have 'opted-in' - given their consent to be marketed to in this fashion. Not only does obtaining consent come at a cost, these businesses can also expect their target markets to contract."
Middle ground
Warren Moss, founder and CEO of Demographica, noted government needs to find a middle ground in which the security of personal information can be achieved within an environment that stimulates economic activity.
"When one considers, firstly, that small and micro enterprises provide approximately 40% of employment opportunities in SA; and secondly, taking into account that South African small businesses are faced with one of the highest failure rates in the world, as high as 70% in their first year, according to minister Rob Davies, can we really afford to enact legislation that places additional obstacles in the way of these businesses succeeding?" Moss pointed out.
Also speaking during the roundtable discussion, economist Mike Sch"ussler said POPI will inhibit economic growth and create barriers of entry for small businesses.
"We should first be asking what is needed to grow the economy, before creating rules and regulations that impact the cost of doing business in South Africa, inhibit growth and stifle competition," said Sch"ussler.
Taking accountability
According to Francis Cronj'e, a corporate governance expert who is also CEO of InfoSeal and MD of franciscronje.com, POPI not only gives effect to every person's right to privacy as enshrined in the Constitution, but also puts SA on par with international data protection legislation, removing certain trade barriers insofar it relates to the cross-border transfer of personal information from other economies into SA.
He noted the law will spur organisations to take accountability for the information individuals or companies give them custodianship of and will provide data subjects with sufficient recourse should organisations fail to take accountability for the lawful processing and safeguarding of their personal information.
It would also force organisations to better manage the information they have which would eventually lead to operational savings in the long run, he said. With cyber crime becoming more and more advanced and more prevalent, the managing and governance of information is paramount. POPI enforces such management and governance," said Cronj'e.
"Smaller organisations will be impacted by POPI and POPI does apply to everyone that processes personal information. It does, however, not mean they have to spend thousands to become compliant. A simple rule would be to treat other persons' personal information the same way you expect them to treat yours, unless of course you don't care about your own personal information."
Share