Legislation governing how companies deal with information is finally set to become law, after 10 years in the making, but many firms could be caught unaware of the amount of systems change that will be involved to comply.
The Protection of Personal Information (PPI) Bill is the first consolidated piece of privacy legislation in the country, and dictates how and for what personal information can be used. It also dictates how data must be stored securely, and forces companies to tell people if their information has been breached.
Non-compliance carries hefty penalties under the proposed legislation, which is expected to be signed into law as early as the end of this month. If signed by president Jacob Zuma this month, it is likely to be enacted around September, giving companies until about September 2014 to comply.
Law firm Michalsons points out that failure to comply will have "significant consequences". It states that the risks entities face if they do not comply include reputational damage, a R10 million fine, and a 10-year jail term, in addition to the danger of a civil suit.
However, many companies are unaware of the amount of work that will be involved to comply, which varies, but could be as intensive as an enterprise-wide systems overhaul, says John Giles, an attorney with Michalsons.
Grace period
Giles explains that the Bill is slowly making its way through the Parliamentary process. The Select Committee on Security and Constitutional Development (a committee of the National Council of Provinces (NCOP) is set to deliberate the pending law again next Wednesday to possibly adopt the Bill, he says.
If it is adopted, it will have been adopted with amendments, so it will have to go back to the National Assembly, which will then either pass it, or start a process to find consensus with the NCOP and pass it, Giles notes.
Once passed, it will be signed into law by the president, which could be as early as the end of March, says Giles. Once signed, it will probably only commence about six months after that and companies will have a 12-month grace period to comply, he adds.
"By about September 2014, all processing will have to conform with PPI. Given the amount of work that needs to be done to achieve this, September 2014 is just around the corner."
Unprepared
However, there is currently a lot of ignorance in terms of the amount of work that needs to be done to comply and many companies are not aware of what the Bill's requirements are, says Giles.
Giles points out that this is not the end of the world, as companies may be compliant without realising it, and the amount of work to done will depend on what sort of information needs to be protected.
A recent survey of more than 300 South African companies revealed that only 26% are actively looking for technologies and adjusting processes to ensure they comply with the PPI. The survey, sponsored by Cibecs business data protection, looked at current South African business data security trends and statistics.
It found that 38% of South African companies surveyed are still using outdated data security strategies, where they expect users to follow a policy and backup their data to a central file server or external hard drive. Some 9% of businesses reported having no data protection in place at all.
Giles says entities need to work out what sort of impact the law will have on them based on the amount and type of information they process. He says for low impact, it will not be a major job to become complaint.
However, high impact could mean an enterprise-wide systems overhaul, says Giles. He adds that there has been a trend where entities are totally underestimating the impact, which could be pervasive across the organisation. "It really should be run as a project."
In addition, notes Giles, the law does not just cover consumer information, but also company-specific identifying data, such as addresses, which also needs to be protected.
Share