Johannesburg, 02 Dec 2013
The signing into law of the Protection of Personal Information (POPI) Bill last week is a significant step towards facilitating cross-border trade for the South African economy.
The Act establishes a new set of rules governing the handling of data about people and entities. It will affect nearly every area of business processes, and will require, among other things, amending legal documents, consolidating data views, analysing subcontracting practices, and gaining control over cross-border data flows.
So it is essential that companies, which have not already done so, get compliant. Although there is a compliance grace period starting on a date yet to be determined by the president, this is likely to happen fairly quickly.
A recent ITWeb/Deloitte POPI Bill survey suggests that many companies are largely unprepared, and underestimate the gravity and complexity involved with getting compliant. Most organisations do not fully comprehend the operational implementation challenges they will face when embarking on this journey.
These timeframes involved cannot be underestimated - especially for companies doing business in multiple jurisdictions. They will no longer be able to outsource data storage functions to service providers in countries that do not have data protection laws similar to POPI without implementing sufficient contractual and risk mitigating measures. These measures will need to be standardised across jurisdictions through binding corporate rules.
Given the proliferation of cloud in today's marketplace, this could present a potential challenge for companies that are not POPI compliant when the time comes - leading to a last-minute scramble. Understanding where data will be hosted, and the mechanism used to secure the data, are two elements that must be considered, as they will impact the privacy or POPI compliance of a business.
The new Act stipulates that companies have policies in place that deal with such issues, and that they appoint a privacy officer to drive the company's compliance process, as well as to interact with the information regulator that will be established.
The ITWeb/Deloitte survey found that over half of respondent organisations don't have information security or privacy policies, processes and procedures in place (56.1%).
Companies, which haven't already done so, need to start putting measures in place not just to increase but maintain their competitive edge.
A start would be doing a gap analysis to identify vulnerabilities - then begin looking at crafting a roadmap to eventual POPI compliance.
In the case of multinationals and larger companies, one year will not be enough to reach compliance; it could possibly even be closer to three years.
Like other countries, South Africa remains vulnerable to the threat posed by hacking and cyber crime, mostly conducted in order to gain access to personal information or systems that house personal information.
The recently released South African Cyber Threat Barometer 2012/2013 puts the total direct losses to sectors within the scope of research at R2.65 billion.
Although, with an average recovery rate of 75%, the actual loss figure is estimated at R662 million - the reality is that businesses and companies cannot afford to be complacent.
Either they put measures in place to eliminate existing vulnerabilities and protect their data, or risk significant financial losses, as well as penalties or even imprisonment through POPI.
This is the reason why POPI is undoubtedly more of a benefit than a hindrance.
Not only is the protection of data a requirement of King III, the new legislation will also bring South Africa in line with best practice in other parts of the world that enforce commitment to good corporate and data governance.
There are several downsides to being non-compliant, foremost among them reputational damage. But other consequences are a maximum fine of R10 million - and/or a maximum jail term of 10 years.
South Africa isn't alone in this. EU data breach disclosure laws mooted last year (and soon to be voted on) recommend penalties of up to 2% of a company's global annual turnover.
But getting on board isn't just about obeying the law; it's essential to doing business in a data-driven world - and has tangible benefits for profitability and competitiveness - giving a company that gets compliant early a competitive advantage.
Having POPI-compliant data management processes in place will be a market differentiator for businesses that have come to the table early.
And it goes without saying that by mitigating the risk posed by data breaches or data leakages, businesses can save millions.
POPI will also empower the average citizen by strictly enforcing the way in which an individual's personal information is held, and passed on. Individuals will now have a legally backed right to privacy and be able to take legal action if this isn't respected.
Whereas previously such data could be freely passed on and sold between companies ranging from banks to telemarketers - the consumer will now be able to report cases where their personal data has been 'handed on' without their consent.
Data is a company's asset - that is why it is so important to control the way in which it is used and stored.
Ultimately, this legislation will prove an invaluable tool to ensure the integrity, security and privacy of a company's data - in the process empowering not just the company, but the ordinary citizen too.
Share