POPIA compliance in local government
One has to approach compliance slightly differently in local government in order to ensure success, says Gerrit Deyzel, ICT manager for Sebata Municipal Services.
With the European Union's GDPR (General Data Protection Regulation) coming into force in May, it's only a matter of time before the Protection of Personal Information Act (POPIA) is implemented locally - with some estimating it'll happen before December 2018.
Local businesses - government entities included - are well advised to start looking at how they acquire, process and store personal information ahead of time, instead of waiting until the last minute.
Gerrit Deyzel, ICT Manager for Sebata Municipal Services, says: "Organisations should not underestimate the amount of effort required to become compliant. There's still time for organisations to become compliant if they start by building on their strengths and only address what's missing.
"What's interesting is that personal information applies to not only almost all aspects of living individuals and their personal data (eg, financial, health, employment), but also data about juristic entities such as companies and other legal structures, including all three spheres of government."
Deyzel continues: "There's a misconception that an organisation's systems have to be POPIA compliant, but this isn't accurate, it's actually the people and processes within the business that have to be compliant. It's important to address IT governance before you can look at POPIA, the one is dependent on the other."
While businesses around the country are jumping on the POPIA bandwagon, Deyzel says it's important to separate government and the private sector, particularly local government, which is still heavily reliant on paper-based processes. From an infrastructure point of view, South Africa - and indeed Africa - is still behind the rest of the world."
Public sector organisations often require a great deal of data sharing to fulfil their mandates. This puts extra pressure on the public sector to respect the rules for legal processing. Specific challenges are in the area of clear consent being obtained and a renewed emphasis on data quality and security.
"When POPIA first came out, we identified a huge disparity in local government from an overall compliancy perspective. Some municipalities had started their digitalisation journey, others hadn't even begun to think about it. We needed a plan to ensure they were able to be compliant by the deadline, whenever that is."
Deyzel says POPIA workshops are being held countrywide on how municipalities can become compliant using the infrastructure they already have. "Obviously, digitalisation will make the process much easier, but not all of the local government offices are there yet, as funding and access to the relevant skills can be a challenge. Naturally, national government is much further along its digitalisation journey, so compliance will be much less of a challenge."
He says: "Wherever possible, POPIA compliance should make use of existing investments in people, process and technology. It shouldn't be necessary to rip-and-replace. In many cases there will be relatively simple and low-cost approaches, such as encryption, which may just need to be activated."
However, all too often, even those municipalities that have embarked on their digitalisation journey aren't using the technology correctly. Awareness is key to POPIA compliance, says Deyzel. "People need to know what they may or may not do with personal information, whether they have the authority to share it and, if they do so, who has access to it. All of this can be managed if you have the right people and processes in place."
Deyzel says it will be a simpler matter to implement POPIA compliance at smaller municipalities. The challenge will be the bigger municipalities that have no digitalisation plan in place. He says: "In each instance, we need to carry out an assessment, develop policies and processes, implement those and constantly review and update them. This last point is very important in the government space to ensure ongoing compliance with any future amendments to the act."
Steps to compliance
Deyzel proposes the following steps for businesses embarking on their compliance journey:
"Set up a multifunctional team that will look at all aspects of compliance. It's a mistake to think POPIA compliance is an IT issue - it's much broader than that. That team needs to identify the risk areas (such as physical and cyber security) and put together reasonable and appropriate, organisational and technical measures to address identified risks."
He adds: "The role of technology in compliance can be seen from two perspectives: as an opportunity and a threat. Information technology can help by providing robust, automated solutions for data protection, such as encryption and specialist data loss prevention tools. Technology can also be a threat if we don't understand where the weak points are and leave ourselves open to attack, whether through technical means (eg, hackers) or social engineering attacks (eg, spear phishing)."
Some organisations - such as local government - realise they don't have the skills in-house to assure compliance with legal requirements. The following criteria should guide this decision, according to Deyzel:
The organisation should identify what knowledge, skills and experience will be required to make POPIA compliance a success and then ask the following questions:
* Do we have the required knowledge, skills and experience in-house? If not, then draw up a list of external partners for POPIA compliance. This can be chosen using a similar set of criteria to any other requirement:
* Knowledge: can our suppliers demonstrate they clearly understand what's required to help us?
* Skills: can our suppliers prove they have the ability to complete the practical steps we will need for compliance?
* Experience: where is the evidence (such as reference sites) that the supplier has completed successful POPIA projects before?
* Value: can our potential supplier demonstrate they offer the best long-term value, to help us now and in the future?
The top five points for any organisation preparing for POPIA compliance are:
1. Assign responsibility at a senior level in the organisation, and don't make this an IT issue - it's much broader than that. If necessary, work with external advisors who have POPIA experience.
2. Carry out a risk management exercise: identify and size-up your risks and decide how to address them. Look at physical security and cyber security risks.
3. Do what's reasonable and appropriate for your organisation. There's no one-size-fits-all with POPIA compliance.
4. Engage your stakeholders, internal and external. POPIA compliance is a team effort, not a one-person show.
5. Whatever you do, make sure it's for keeps. POPIA compliance is not just a tick-the-box exercise, it's a long-term commitment.
Quick POPIA overview
In terms of POPIA, an organisation may have one or both of two primary roles. Responsible party is the role where the organisation processes personal information directly, such as that obtained from the organisation's customers, suppliers or employees. The second role is that of the operator, where the organisation acts a service provider to another responsible party. Examples of some of the most important requirements are:
For the responsible party
* Overall, comply with the eight conditions of the POPIA;
* Make sure there's consent for the processing;
* Make sure the purpose of processing is clear;
* Provide adequate notification, in particular for data subject rights; and
* Appoint service providers (operators) via a written contract.
For the operator
* Have a written agreement with each responsible party serviced;
* Be able to demonstrate contractual compliance;
* Put in place the necessary safeguards;
* Train staff in their duties in terms of processing; and
* Monitor processing practices for possible security compromises.
Non-compliance can lead to a number of impacts on the organisation. The regulatory authorities are enabled by POPIA to take a number of remedial actions, including, in more serious cases, financial penalties and custodial sentences. Other negative impacts can come from customers, staff, suppliers or investors who may have a crisis of confidence in the organisation, leading to reputation damage and loss of revenue.