This is according to Dean Chivers, director at Deloitte Legal, who notes that the pending legislation will require companies to do more than just secure their data – it will force them to extensively review their business policies and processes.
To get an indication of how prepared local organisations are for the Bill, ITWeb, in partnership with Deloitte, today unveiled the PPI Bill Survey.
The Bill is currently before the National Assembly parliamentary committee on justice and constitutional development.
In a statement, Deloitte notes that data privacy, in terms of the South African legislation, relates to an individual's personal information being safeguarded.“If you have information about people, you can no longer deal with it as you used to,” Chivers explains.
From the point where personal information is collected, he adds, organisations will have to get a person's permission to use his or her information. According to Chivers, historically, South African organisations collected data and used it liberally.
“The PPI legislation will require that any terms or contract concluded must have a consent element built in. Information can only be used in terms of the permissions obtained, and when information is no longer required for the purposes for which it was collected, it will have to be destroyed.
“Information will have to be secured regardless of whether it's in 'soft data' form or 'hard data' form and the security requirements include control of access to information. In the case of information being sent across borders and to outsourced service providers, such recipients will need to meet the same security requirements,” he explains.
Deloitte believes significant changes to systems to make them compliant with the demands of the PPI legislation will have to be accompanied by extensive training of staff across disciplines, as new rules will apply to what were previously routine corporate functions.
The company adds that access to information within a company will have to be controlled on an 'as-needed basis'. This will dictate which of a company's officers have access to what material. For example, HR data should only be accessed by a small number of employees, this being the HR team, it explains.
“Policies controlling the use and storage of files within personal offices, access controls and the removal of data from company premises will also have to be written. Sanctions for contravention of legal provisions will therefore have to be included in a company's HR disciplinary code,” says Chivers.
He is also of the view that processes will have to be built around the collection, processing, monitoring, distribution, and ultimately, destruction of all personal information held by an entity.
“The primary responsibility of safeguarding information will rest with the collector of the data. In this regard, the proposed legislation makes it clear that the safeguarding cannot be outsourced.
“In markets like the EU, where strong PPI laws already exist, major companies are using the services of independent auditing companies to certify compliance with destruction and other privacy requirements. Industries that are highly reliant on direct marketing or which process significant amounts of personal information will be the first to be impacted by PPI. Companies using marketing tools such as competitions to create databases will have to operate differently.”
Some South African companies, Deloitte notes, especially those with international links to countries with well-developed PPI legislation, are already working towards ensuring their future compliance.
“The South African PPI legislation is sound legislation. It is modern and aligned with internationally accepted practice. It also meets the needs of a technological age in which information flows easily across the globe.
“The onus will be on South African companies to ensure that security across their operations is effective and can be introduced in the time stipulated,” concludes Chivers. If they can achieve this, they will be more competitive globally.
Click here to complete the survey.
Our comments policy does not allow anonymous postings. Read the policy here