Keen compliance with the stringent provisos laid out in the Protection of Personal Information Act (POPI) will save companies money, distress and reputational harm.
This is according to Thav Reddy, head of information protection at Nedbank. Speaking at the IT Leaders Africa Summit in Sandton this week, Reddy took attendees through some of the key considerations for companies to bear in mind when planning their POPI strategy, and the implications of the Act on IT security.
Having clear, structured policies and rules, the right people in place and an omniscient outlook on the data companies deal with, says Reddy, can prevent serious and disruptive consequences.
"It's good for organisations. It prevents your CEO from going to jail, it prevents your company having to pay a R10 million fine (and this is not dependent on the size of your organisation) and it means your clients will trust you to keep their information safe."
Data defence
POPI, which regulates how companies handle, store and secure personal information, was signed into law by president Jacob Zuma in November last year, but a commencement date is yet to be announced.
The legislation is based on the European data protection directive, and aims to ensure personal information is processed in a way that corresponds with internationally accepted data protection principles.
Using Nedbank as a case in point, Reddy says the financial institution has considerable mechanisms in place around data, but yet there is a perception that banks sell data. "This is not necessarily the case. [Nedbank has] robust controls in place and then on top of that, hires someone like me at an exorbitant price, to make sure these are carried out correctly."
The fact that, like most organisations, banks have to rely on service providers to help them do business, is where the danger comes in. "What happens when that information leaves the bank to the end of delivering a service to a client?" asks Reddy. Here, she says, is where data is likely to get leaked.
According to Reddy, these are some of the things companies' IT divisions should heed and do when preparing for compliance with the country's first comprehensive privacy legislation POPI:
1. Have a structured process in place.
2. Become friendly with other people and areas in the organisation, especially legal and data governance.
3. Make yourself familiar with the area of the organisation that takes care of business process mapping.
4. Know how the company manages data - and that includes hard copies of information.
5. Consider how long the organisation keeps data for. Different legislation requires different timeframes - this can be anything from five or 30 years, to forever.
6. Have data stewards.
7. Classify data. Consider what data is internally-bound, gets sent out, can affect the company's share price, etc.
8. Backup policies are crucial. When the regulator comes in, we will be looking at jail terms if backups are not carried out.
9. Encryption is a mitigating factor should your device get stolen and information compromised.
10. Take a look at www.ico.gov.uk (the UK's Information Commissioner's Office) to get an idea of how POPI could play out when it is implemented in SA. The people responsible for drafting SA's information protection legislation have done so based on the UK's example.
The eight conditions of POPI
POPI establishes eight conditions, which need to be met in order for the processing of personal data to be lawful. These conditions include:
* Accountability;
* Processing limitation;
* Purpose specification;
* Further processing limitation;
* Information quality;
* Openness;
* Security safeguards; and
* Data subject participation.
Share