Considering the Protection of Personal Information Bill has been passed by the National Assembly Portfolio Committee, and approved (subject to some minor amendments) by the Council of Provinces, the president's signing the Bill into law seems imminent.
So says Daniella Kafouris, privacy leader at Deloitte Legal, commenting on the results of the ITWeb/Deloitte PPI Bill Survey, which ran online for 14 days during June.
According to the results, 41.11% of respondents have not started complying with the PPI Bill.
"With only a one-year period provided to achieve compliance, those companies that have yet to start compliance steps will struggle to become compliant in time. Non-compliance not only has significant penalties - including fines and jail sentences - but it will also affect a non-compliant company's ability to continue typical business practices like direct marketing, outsourcing and cross-border data flows.
"It is strongly recommended that companies undertake a detailed gap analysis so that they can grasp exactly what they need to do to become compliant, what that will practically involve, and how long it is likely to take," advises Dean Chivers, director of Deloitte Legal.
When asked whether their organisations have appointed privacy officers, 24.44% of respondents said they had, while 56.67% had yet to consider it.
Chivers explains: "It is a legal requirement that every company appoints a privacy officer. To not do so would be a contravention of the protection of personal information law. We recommend companies appoint a privacy officer sooner rather than later, as it provides a focal point for the implementation of the companies' compliance processes. It also facilitates the privacy officer becoming familiar with the practical implications of becoming compliant and understanding his/her role."
Commenting on how organisations can benefit from having information security policies, processes and procedures in place, Kafouris says: "Security in respect of people's data is something that all reputable companies have always considered as part of good data governance."
The PPI Bill now legislates this governance requirement and therefore strong data security does not only address compliance with this new law, but also demonstrates a respect for people's data and in turn enforces commitment to good corporate and data governance, she says.
Just over half of the respondents (56.1%) stated that their organisations do have information security policies, processes and procedures in place; 10.98% said they have no high-level data security; 12.2% only secure softcopy data; and 10.98% only secure hardware data.
It also emerged from the survey that 21.18% of respondents regard systems that have not been secured correctly as one of the highest privacy risks to their organisations; however, third-party service providers and poor policy governance were also viewed as significant concerns, at 16.47% and 14.12%, respectively.
Some 44.3% of survey respondents stated that their organisations do not transfer personal information across borders, while 27.85% do. Chivers elaborates: "The protection of personal information law is very much aligned to the data privacy laws in effect across much of the world, including the UK, the EU, Canada and Australia. All data privacy laws regulate and restrict the ability of companies to transfer personal information across borders. As this will be a new restriction to South African entities, one needs to start by understanding which countries your entity transfers data to, and then analyse their data privacy laws. This is the starting point to understanding what will need to be put in place to allow such cross-border data flows to continue."
"All South African entities need to understand that the protection of personal information law impacts all aspects of data management and utilisation. This means it affects almost every aspect of a company's business operations. This includes the manner in which data is collected, what can be done with it, and when it must be stored and destroyed. It also significantly changes the rules around common business practices like direct marketing, outsourcing, shared services and cloud computing, which is the first step to understanding what you will need to change in your current business processes," Kafouris concludes.
Share