Privacy law an onerous burden

SA's pending Protection of Personal Information Act - which is expected to become law by January - will place a huge burden on companies that deal with people's private information.

Companies will have to spend around 10% of their annual IT budget to comply, and it could take as long as five years for the necessary systems to be put into place.

The law, which has been about a decade in the making, will be the first consolidated piece of privacy legislation in the country. It dictates how and what personal information can be used, and how it must be stored securely, and forces companies to tell people if their information has been breached.

However, few South African companies are prepared for the new law, and once it comes into effect, corporate SA will only have a year in which to implement its stringent requirements, or face a fine of as much as R10 million for serious breaches.

Peter Hill, a director of the IT Governance Network, explains the law regulates how personal information can be used, after recognising that personal information and any commercial value belongs to the individual.

Hill says an estimate of the cost of implementing measures to protect data would be at least 10% of the total annual IT budget. He says there will be long-term benefits, and smaller, more agile companies are likely to be favoured by customers who value their privacy.

Although companies have known about this legislation for almost 10 years, even industries that are already highly regulated seem to be a long way away from meeting the requirements, says Hill. He notes that some companies have continued to exploit the use of personal information for as long as possible.

Most firms will take three to five years to address the conditions contained in the pending law, says Hill.

Dean Chivers, a director in Deloitte & Touche's legal department, says implementing the legislation will be extremely onerous. “Historically, South African companies have not had a legal obligation to manage their data in any specific way and, while we have always had retention obligations, we have never had destruction obligations.”

Compliance is likely to take between one and three years to achieve, notes Chivers. He points out that a recent Deloitte ITWeb survey revealed that few companies have achieved compliance, and only around 50% of the companies surveyed had commenced compliance steps.

“Even more worrying is the large percentage of companies that do not even understand the impact of the law and the compliance requirements... Any medium or large entity, which has not commenced compliance activities by the end of this year, is very unlikely to comply timeously.”

The legislation is a data law, which relates to both soft and hard copy data, says Chivers. Although time and cost to implement will vary, geographically spread companies and those in sectors such as telecommunications, health, financial services and consumer business are likely to have greater challenges, he adds.

Chivers explains that the pending law lays down rules throughout the data lifecycle, which includes collection, processing, retention, destruction, quality and security. “This radically changes the manner in which almost every process flow takes place within organisations going forward.”

The Bill, which was tabled in 2009, has been passed by the National Assembly, and will now go to the National Council of Provinces for approval, says Chivers. It is likely to become law in about six months, he adds.

Elizabeth de Stadler, a senior associate with Esselaar Attorneys, says the law means consumers will now have to give their consent for their information to be processed for any reason. It should also make it harder for unscrupulous spammers to get hold of people's details.

De Stadler adds that the most significant aspect for consumers will be that suppliers cannot direct-market to them without their permission as the Bill works on an opt-in principle. “It is watered down by the fact that a supplier can contact you to get your permission once, and that if you are an existing customer you are presumed to have opted in if you failed to exercise a right to opt out on the assumption that the option was given to you.”

For the first time, there is a law that enables individuals to seek civil damages either directly or indirectly through the information regulator, says Hill. He explains that the burden of proof rests with the public or private entity and not at all with the individual. “It will be a very brave company that will consider defending an action in court.”

Hill says the law requires no more than what has been seen as good practice for collecting data. He says it will cost companies more than they had budgeted for over the next year, but individuals will save much more over the next 12 months and further into the future than in the past.

The law will force companies to implement better housekeeping and reduce the clutter of unnecessary documentation being retained, and reduce the associated risks, says Hill. “This legislation is a major milestone in our democracy. It is not a trivial Act with few consequences.”