Are you prepared for POPI Act, EU GDPR?
ITWeb Events spoke to Cleo Becker, regional counsel, emerging markets EMEA and Israel, legal and compliance, Hitachi Data Systems about her presentation at the ITWeb Data Centre Summit 2017, 25 July, Focus Rooms, Sunninghill. This is titled: Are you prepared for the Protection of Personal Information Act (POPI) and equally aware of the incoming EU General Data Protection Regulations? She intends to tackle the question of whether mere compliance with POPI meets the requirements for compliance under the GDPR; how having the right technology in place can assist companies with meeting the requirements to both POPI and the GDPR in an efficient manner; and lastly how companies can mitigate risk and create a unique value proposition by utilising technology and ensuring the right policies are in place for their governance strategy.
ITWeb Events: Can you tell the readers a little bit more about POPI and how it pertains to those organisations that have a data centre or outsource to a data centre either built or in the cloud, and would the regulations be different?
Becker: The Protection of Personal Information Act attempts to finally bring South Africa in line with international standards for the collection and storage of personal information. POPI is the overarching piece of legislation in South Africa that deals with the processing and storage of personal information. POPI imposes obligations on corporations when it comes to the way in which they collect, store and use personal data belonging to individuals such as their employees and customers.
With the digital transformation having impacted all companies, irrespective of size or industry, vertical electronic data has become the cornerstone of modern day business. As the data often includes a large amount of personal information (any information which identifies a natural or juristic person) companies in South Africa need to make sure they know which data they hold and where it is stored (onsite or in the cloud) in order to comply with POPI's processing requirements.
Some key features of POPI's processing principles which impact the technology on which a company choses to store its data are Security Safeguards (which require companies to secure the integrity of personal information and prevent loss of, damage to, or unauthorised destruction of it, by taking appropriate measures) and Data Subject Participation (which provides the individual whose personal information is stored with certain access rights to their personal information stored by the company in question, including the right to request its deletion).
These requirements mean a company's technology needs to be secure and highly available with the ability to discover data irrespective of where it is stored (whether onsite, hybrid or public cloud) and independent of application or data silo.
ITWeb Events: How is 'South African' data affected by the EU GDPR?
Becker: South African companies may be affected by the GDPR even if they have no EU presence when: (i) an EU resident's personal data is processed by that company in connection with goods/services offered to him/her; or (ii) the behaviour of individuals within the EU is "monitored" by the company.
The potential fines under the GDPR are extremely large in contrast to those under POPI. GDPR sanctions include administrative fines of up to 20 000 000 euros, or in the case of undertakings, 4% of global turnover, whichever is higher. A penalty of this magnitude would bankrupt most South African companies.
ITWeb Events: What in your opinion is the biggest stepping stone/challenge for SA companies embarking on the POPI journey?
Becker: The biggest challenge will be for South African companies to conduct the initial due diligence exercise required to understand what personal information they have, where it is stored and how it is stored.
Once this assessment has taken place, companies can start to put the necessary policies and technology in place to ensure ongoing POPI compliance.
In order to manage data in a POPI compliant manner, companies need to make sure their data is discoverable, governable and actionable.
ITWeb Events: What are the three lessons learnt that you would like the attendees to take away with them from your presentation?
Becker: Firstly, that the audience understands the key similarities and differences between the GDPR and POPI; secondly, how technology can be utilised to kick off an initial assessment to locate all sources of stored personal information; and lastly, some of the key features that should be required from a technology perspective in order to store your company's personal information in a POPI/GDPR compliant manner.
GDPR/POPI compliance is an ongoing journey.