The Protection of Personal Information Bill (PPI Bill) will come into operation in the near future. Although businesses will have 12 months in which to comply, it is advisable that organisations not leave planning and implementation of the requirements to the last minute. The penalties for non-compliance are considerable and the requirement that data breaches be reported entail reputational risk that few private companies can afford to run.
The Bill gives effect to the constitutional right to privacy by safeguarding a person's personal information. The legislation will prescribe how personal information is to be gathered, stored, transmitted and processed.
The transmission and processing of personal data abroad are areas of great risk in terms of the standards set by the Bill. A responsible party in SA may not transfer PI to third-party recipients in a foreign country unless there are safeguards in place. These safeguards are enumerated in Chapter 9 of the Bill and have been tightened up in the final draft of the Bill.
This has great impact on hosting in, for example, the US or the EU, as South African businesses will have to ensure that the foreign hosting company adheres to the principles of the Bill. Personal information may not be transferred to a foreign country unless the recipient is subject to a law or binding corporate rules that adequately and effectively uphold the principles for reasonable and lawful processing of personal information. The further transmission of the data is also protected.
The Bill attempts to ensure that personal information held or processed abroad is protected in a similar fashion, as would be the case in South Africa.
The reference to binding corporate rules means South African businesses need not interrogate the laws of the recipient country in order to ascertain whether the protection afforded to the data is adequate. If these corporate rules to which the recipient is bound adhere to the principles, data may be transmitted and processed abroad.
These corporate rules include information security management systems such as ISO 27001 and SAS 70.
According to Diederik Jordaan, MD of Gen 2 Enterprise Software, the Daptiv Project Portfolio Management application has been ISO 2700 certified and complies with the standards required by the Bill. Daptiv, he says, is currently the only on-demand PPM application with an ISO 27001 certification.
In addition, Jordaan confirms that Daptiv boasts an SAS 70 Type II certification, which is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). This is further confirmation of Daptiv's commitment to data security and the responsible storing and processing of data.
Share