POPI compliance not a 'tick-box' exercise

By Marilyn de Villiers
Johannesburg, 14 Feb 2017

Any organisation that thinks it can become "POPI-compliant" simply by beefing up its IT security a little, could be in for a rude awakening and potentially find itself facing civil liability claims, criminal charges and fatal reputational damage.

That's the view of Tania May, POPI Compliance Specialist at Cape Town-based business consultants P'etanque International, who pointed out that the Protection of Personal Information (POPI) Act makes provision for fines of up to R10 million and/or up to 10 years' imprisonment of the organisation's CEO or MD.

Any organisation - be it private or public, for profit or non-profit - that processes personal information of clients, suppliers and/or staff, is required to comply with the Act.

"The appointment of former IEC Chairperson Pansy Tlakula as the country's Information Regulator, is a clear indication that time is running out for South African businesses and organisations to get their house in order for the full implementation of the Act," she said.

According to May, POPI-compliance is not a matter of ticking a box or showing a policy on your Web site. It is also not about a technical process to keep hackers and other cybercriminals from accessing data in the organisation's IT systems.

The Verizon 2015 IT Data Breach Investigation Report noted that 50% of the worst data security breaches that year were due to human error, with staff-related data breaches mostly involving sensitive information being made available to the incorrect recipients.

One of the greatest challenges to achieving POPI-compliance is that that it is neither a one-size-fits-all nor a tick-the-box kind of approach.

"There is no authority issuing certificates of POPI compliance - each organisation must assess its own privacy risk and implement mitigating controls that are proportionate to the risk," May explained.

In addition, the Act requires that evidence be provided on why the policies and procedures of an organisation look the way that they do.

"Achieving compliance is therefore a process of integrating POPI compliant processes into the way that you conduct your business rather than just adding another company policy to your policy library," she said.

"The Regulator should be able to satisfy herself that your organisation is processing personal information in a fair, responsible and secure manner."

Every organisation should therefore have an effective and appropriate privacy policy and practice that ensures that all personal information is processed lawfully, and the personal information of data subjects is protected at all times.

P'etanque International recommends that organisations:
Perform a privacy risk assessment;
Put controls in place that are proportionate to the risk;
Self-monitor the effectiveness of these controls;
Write principle-based policies;
Create a Portfolio of Evidence of the risk assessment, the control universe, all decisions taken during this risk management process and approval of those decisions; and
Provide evidence to the Regulator and stakeholders of the above.

Should a data breach occur, the Regulator has to be informed and penalties will be handed down based on the above evidence. For example, if your database is hacked, the Regulator could decide that no penalties are required if all your data protection practices are judged effective and appropriate given your risk assessments.

"Ultimately, POPI-compliance is about the entire process of changing how personal information is viewed, at every level of the organisation. This requires a change in processes, perception and culture throughout the organisation, and that is highly dependent on training and change management. The bottom line is that POPI-compliance is about integrating the entire ethos of privacy protection into every business process," May concluded.