Larger companies began to expend considerable resources on the Protection of Personal Information (POPI) Act compliance only in the past 12 months, once the law was passed by the National Assembly.
So says Dario Milo, partner at law firm Webber Wentzel, who notes that, in contrast, small to medium companies have not yet devoted much effort to POPI.
"Companies, in general, may tend to feel that the year's grace period in POPI provides them with sufficient time to bring their house in order, but our experience is that it takes much longer than this, and this is particularly so for the larger companies," he says.
Heino Gevers, security specialist at Mimecast, concurs, saying the Act was only given serious consideration when it was signed off by the National Assembly.
"Before then, many thought it would not take effect and underestimated the magnitude of this Act and how it would truly impact of their organisational processes and policies," he says. "Recently, organisations have started developing programmes and building the teams needed to manage the requirements and ensure their POPI compliance."
New rules
The Act establishes a new set of rules governing the handling of data about people and entities. It will affect nearly every area of business processes, and will require, among other things, amending legal documents, consolidating data views, analysing subcontracting practices, and gaining control over cross-border data flows.
According to Gevers, from an infrastructure perspective, businesses need to introduce innovative technologies that will allow them to classify and distinguish between personal and non-personal information.
Businesses will also need to review their business policies and processes to ensure that the management of this personal information is incorporated, he explains, adding that in accordance with the Act, information needs to be retained in a mutable format and made easily accessible to the owner of that information on request.
"Information owners also require that any storage and use of their personal information is communicated to them and that they understand why it is being retained and how it can be accessed," Gevers notes.
The big task
On the other hand, Milo believes the big task with the Act is the data audit of personal information within a business. He is of the view that here needs to be a detailed understanding of all types of personal information being processed in the company, the purpose for the processing, where the information is sent to and received from, and how long the information is retained.
Once this structure is understood, the business can move to form a legal view on whether the data flows are compliant with the conditions for lawful processing under POPI, Milo explains, pointing out that there are also policies and consent forms which need to be drafted, and contracts that may need to be revised and amended.
He also notes that once the law comes into force, even the processing of personal information that was underway before the law will need to become POPI compliant.
"This could pose considerable challenges to the business. For instance, old information stored in manual archives may need to be destroyed, and outdated information systems may need to be revised. The collection and processing of personal information after the law comes in to force will also, of course, need to be POPI compliant, but businesses are likely to find compliance with 'new' information easier," Milo argues.
Biggest challenge
To Gevers, one of the biggest challenges will be finding the necessary skills and tools to harvest the legacy of personal information that businesses already have in storage.
"Other challenges that businesses face include processing information in a compliant manner; retaining it for the appropriate amount of time; and making it accessible to the owner without exposing the business to any additional risk."
He also points out that local businesses will benefit from the Act, as consumers will be more secure with the knowledge that any information they share will be managed responsibly.
Consumers will, therefore, engage more efficiently with businesses, especially online businesses, sharing the required information needed to transact with them, Gevers adds.
According to Milo, data privacy legislation has been around in Europe for over 20 years, and other important trade jurisdictions have adopted the legislation in more recent times.
"SA has lagged behind in enacting POPI - which is the 100th piece of legislation of its kind internationally. Because POPI governs the transfer of personal information to foreign jurisdictions and protects personal information received from those jurisdictions, POPI will aid and abet business dealings with foreign entities," Milo concludes.
Share