Organisations need to remember that the Protection of Personal Information (POPI) Act compliance is not simply an issue to be thrown at their IT professionals.
So says Jordan Biermann, knowledge manager of Ovations, who points out that appropriate steps need to be taken to ensure the correct procedures and policies are implemented if a business is to be compliant with the law.
The POPI Act was signed into law by president Jacob Zuma in November last year, but a commencement date is yet to be announced.
The law is SA's first consolidated piece of legislation detailing how individual and company information must be dealt with. The act requires organisations to have a legitimate reason for collecting customer information and requires them to destroy the information once it has fulfilled its purpose.
Under the law, companies face a fine of up to R10 million - or a decade in jail - if they breach its provisions, and could also encounter civil class-action lawsuits. However, the most devastating penalty will be reputational damage, because organisations will have to inform people if their data has been breached.
According to Heino Gevers, security specialist at Mimecast, POPI compliance involves behavioural modifications as well as new processes and procedures.
Biermann advises that there is no fix-all solution for POPI compliance. Due to the vast difference in the structures, systems and roles of companies, it would be virtually impossible to create a blanket solution, he states.
Companies should focus on having their business policies, procedures, roles and systems assessed in order to find the gaps that require attention. Once the gaps and challenges have been identified, a company can start to look into creating a tailor-made solution to become POPI compliant, says Biermann.
Similarly, Gevers says, all the areas specified in the POPI Act need more than technology to manage them; they require someone with a good grasp of the Act to audit the business and work closely with individuals in different areas of the organisation to design procedures that will ensure that compliance is obtained and maintained.
Implementing new or amended policies requires effective people and change management interventions so that those impacted feel empowered and able to work in the new way, he adds.
Governance, compliance or risk managers in an organisation should work closely with legal representatives and in collaboration with IT managers to ensure that the all areas in the business are streamlined to responsibly manage personal information, states Gevers.
According to Drew van Vuuren, CEO of 4Di Privaca, companies need a data protection officer who will be responsible for managing the compliance process, represent the business to the Regulator and be the contact point for data subjects who are querying the business on the data they hold on them.
In addition, Alastair Tempest, chief operating officer of Direct Marketing Association of South Africa, says a company has to appoint an information officer who will be the first 'port of call' by the regulator in case of a complaint.
Tempest states that until the regulator is in place, no one can tell exactly how it will react on any specific issue. He adds that all organisations can do is look at experience outside SA.
Share