Business sketchy on PPI Bill implications

Though the majority of organisations are aware of the Protection of Personal Information (PPI) Bill, most are still uncertain about its implications.

This was one of the key findings from the Deloitte-ITWeb PPI Bill Survey, which ran on ITWeb Online for two weeks and attracted 91 responses.

Fifty-three percent of respondents said they are aware of the proposed law but are unsure about its repercussions for non-compliance.

Only 34% revealed they are aware of the Bill and understand the possible implications, while 13% said they had never heard about this piece of legislation before.

Dean Chivers, director of Deloitte Legal, believes there are a number of reasons why organisations are still in the dark about the repercussions of the PPI Bill.

First, he says, there has been some confusion between the Protection of Personal Information Bill for data privacy and the Protection of State Information Bill - the 'Secrecy Bill'.

“Two, it has not yet been passed into law, and some organisations will probably wait for this to happen before really focusing on it, which is, in our view, a mistake, as compliance is a huge exercise.

“Three, although it's common in law globally, it's very new to South African companies, and thus requires time to be understood,” says Chivers.

Speaking at a roundtable to discuss these findings, Terence Kelly, Deloitte's associate director for risk advisory, pointed out that South African organisations are in “digital denial”, as virtually all organisations will be affected by this Bill, one way or the other.

Interestingly, when asked if their organisations have started implementing measures to comply with the imminent law, the majority (37%) professed ignorance. On the other hand, 34% pointed out that they have already started complying, while 29% have not.

“The Bill provides for a grace period, but that period is unlikely to be long enough to achieve compliance; implementation will probably take as long as three years. Thus, those not yet acting may well run out of time,” Chivers cautions.

“This Bill will affect almost all business processes, data and systems - such extensive changes do not happen quickly,” he adds.

When asked if their organisations have a privacy officer with relevant certification, a significant 59% said “no”. Only 16% have such a designation in their organisations, with the remainder uncertain.

Chivers says having a privacy officer is a legal requirement of the Bill. “It's the person who will be responsible for PPI compliance, so it's a key compliance step.”

The study also discovered that most organisations (39%) have not investigated how the PPI Bill affects and integrates with other legislation such as the Consumer Protection Act (CPA), the Promotion of Access to Information Act (PAIA), RICA and the Electronic Communications Act. Only a quarter of them have looked at how these laws are intertwined, while 36% are unsure.

According to Chivers, there are a number of key overlaps between these laws. “Two examples include the overlap with the CPA on regulating direct marketing and the alignment with the PAIA as to how people can request access to the data about them held by a company.

“If such overlaps and alignments aren't identified and addressed, an organisation may end up with duplicated or even conflicting business processes and policies,” he points out.

The majority of participants (71%) are uncertain about the capital expenditure and additional operating budgets they will require in order to comply with the PPI Bill over the next one to three years.

Chivers believes organisations most certainly need additional budgets for the imminent law. “At the very least, compliance will require significant changes to business processes, policies, contracts and data management.

“It may well also require security and IT system changes. Training, too, will be essential. Compliance will require significant effort, and most companies will lack the skills and capacity internally to achieve this, especially if compliance is left until the Bill is passed into law, and the clock starts ticking.”

On a positive note, 68% of respondents revealed they have information security policies, processes and procedures in place, with only 16% saying no data is secured at a high level in their organisations. Three percent only secure hardcopy data.

It was also established that more than half (56%) of respondents currently retain records in terms of legislation, and destroy them after their retention period through the use of a records management programme. However, 21% do not do so, while the rest were unsure.

Meanwhile, about 56% of the organisations that participated in the study said they do not transfer personal information across boarders, while 24% do.