PPI Bill implications baffle SA businesses

Though the majority of South African organisations are aware of the Protection of Personal Information (PPI) Bill, most of them are unsure of the implications of this imminent piece of legislation.

This came out of the ITWeb-Deloitte PPI Act Survey, which ran online for a fortnight, attracting 180 responses.

The PPI Bill is set to transform the way organisations collect, store and use personal information about their contacts and will effectively provide SA, as a jurisdiction, parity with other countries that have implemented data protection legislation.

The Bill is currently before the National Assembly parliamentary committee on justice and constitutional development.

The study asked the respondents to what extent they are aware and informed about the PPI Bill and the impact it will have on their business.

The majority (61.87%) revealed they are aware of the Bill but are unsure about its implications, 21.18% noted they are aware of the Bill and understand the possible implications, while 13.67% indicated they have never heard of it.

Commenting on this finding, Dean Chivers, Deloitte's tax and legal director, says since data privacy is multifaceted, understanding the legal requirements is not simple. “It covers the collection of data, processing of data, destruction of data, data subject consents, access control, security of data, cross-border data flows, etc.”

In addition, he notes, understanding the law is only the first step, as the practicalities of implementing compliance are even more difficult.

“The requirements relate to both hardcopy and softcopy data, and thus compliance needs to be achieved in what has historically always been a somewhat unstructured and unregulated environment,” he adds.

According to Chivers, experience in implementing data privacy compliance programmes has shown that the key is understanding which compliance aspects need to be dealt with at an enterprise level, and which need to be addressed at a business unit level.

In that vein, he urges organisations to obtain quality professional advice to ensure the upsides are maximised and compliance does not become a never ending process which keeps the company in a position of risk.

“Once this has been achieved, it's down to designing and implementing practical and achievable projects,” he points out.

Most First World countries already have data privacy laws, Chivers notes. “One thing they all have in common is strictly regulating cross-border flows of personal information.

“It has been our experience when working with clients on data privacy compliance that many companies that have operations outside of SA are, in many instances, already contravening data privacy laws of the countries in which they have operations.

“This is something which all companies need to be aware of when receiving data from companies outside SA, or when accessing data held outside SA,” Chivers explains.

The respondents were also asked to what extent is their softcopy and hardcopy data secured. It emerged that for the majority (33.57%), only softcopy data is secured to a high standard. This was followed by 26.43% who revealed that all their data is secured.

Some 21.43% stated that no data is secured at a high level, with 12.86% saying they are unsure. However, 5.71% have only their hardcopy data secured at a high standard.

“The world has become very electronic platform-driven, and SA is no different,” comments Chivers. “As this has happened, IT has become a huge focus for organisations. It has also meant that less focus is given to hardcopy data.”

He also explains that many companies have a CIO, but very few have a senior resource dealing with hardcopy data. “This trend does provide data privacy compliance challenges.”

The survey also probed the respondents if there is a written agreement in place between their company and its outsourced service providers such as IT support, payroll, document storage, credit checks.

It was discovered most organisations (58.57%) do have a written agreement, while the remainder do not have.

Among those with a written agreement in place, 46.43% revealed that the agreement governs security, 37.86% said it's compliance audited, with 21.43% noting that it governs destruction of data after use.

Chivers stresses that the law will require all outsource relationships to have a written contract in place, and for good reason.

“Currently, even where a contract is in place, it is likely to mainly deal with service level issues; it rarely covers data privacy. While some do have confidentiality provisions, do companies know what their outsourced service providers do with the data they pass to them?

“In most cases, this data is simply left with the outsourced service provider, and its return, destruction or retention security aspects are not regulated,” he states.

The survey also asked businesses how they plan to address the issue of obtaining consent from current and future customers and stakeholders for the use of their personal information.

The majority (42.14%) indicated it is not part of their roles and responsibilities; 32.86% said they have not planned that far yet; 22.14% stated they are updating contracts and engaging with data subjects to sign off.

On the other hand, 16.43% said they are contacting data subjects via electronic means to request specific consent to use their data. Only 5% said they are structuring advertising/PR campaign calls to action to submit data and consent.

Chivers believes the first step for obtaining consent involves incorporating data privacy consent provisions in all relevant contracts, such that when new contracts are concluded, the required consents are obtained.

The second step, he adds, is analysing all existing personal information and relationships, and deciding which will still be relevant going forward from a processing perspective. In these instances, specific consents will need to be obtained, he maintains.

“In both instances, it is vital to ensure that all consents required be obtained, not in a blanket style, but in a comprehensive and specific manner. It is also important to ensure the subsequent processing can be aligned to the consents obtained.”