Daniella Kafouris, manager of technology and data privacy legal practice at Deloitte, notes that the PPI Bill is based on universally accepted key principles, and is modelled closely on EU personal information protection laws.
In the EU, these laws provide for fines for non-compliance of up to 2% of global annual turnover, she says.
Besides the potential for large non-compliance fines, there is a significant reputational damage cost to companies whose data is compromised. The PPI Bill, like other global legislation, will make it mandatory for companies to declare any breaches or compromise of personal information. The cost of reputational damage resulting from such a compromise would be significantly higher than the actual fines, says Kafouris.
“Companies need to be proactive, rather than reactive about it,” says Kafouris. “Hacks, digital attacks and malware strike companies daily, but currently it is not reported. Once the Bill is in place, there will be a provision for breach notification. The breach must be reported and the people whose data may have been affected must be notified. This creates issues around reputational risk and the true cost of non-compliance.”
Besides the local law set to be promulgated, Kafouris says, there are existing international laws to consider.
“Any company whose data moves across borders must comply with the laws in the regions where it resides,” she says. “For example, if you engage with a cloud service provider in California, you must meet the breach notification and encryption laws of that state. If you're a global organisation extracting data from all over the world, you might have to comply with multiple jurisdictions,” she says.
“Your geography plus your industry establishes your rules.”
Kafouris advises companies to take a proactive approach to mitigating data compromise. In line with the PPI Bill, companies will have to appoint a privacy officer, but larger enterprises will probably need several 'privacy champions', too, she says. Compliance should ideally be driven by a professional with a balanced understanding of both IT and legal experience. People with both skills sets are rare, she concedes. “There's a serious need for professionals in this field who have an understanding of both.”
Companies also need to assess their data management practices now, and plan a strategy to address any gaps. While there will likely be an 18-month period once the PPI Bill is promulgated, Kafouris says companies should take action sooner rather than later, to ensure they are in compliance with global best practices in the protection of personal information.
Kafouris will address the upcoming Ideco IDentity Indaba, in Sandton, on the need for cyber resilience in business. For more information about this event, click here.