Privacy law presents opportunity to sort data
The need to clean up databases of information is an opportunity for organisations to streamline, says Esselaar Attorneys.
Apart from dictating how personal information can be used and stored, the pending privacy law will also create an opportunity for companies to clean up their databases and save operational expenses in the future.
The Protection of Personal Information Act, which just has to be translated into Afrikaans and signed by president Jacob Zuma before coming into effect, governs how companies deal with personal information such as names, addresses and identity numbers.
While it will involve some initial pain, Elizabeth de Stadler, a senior associate with Esselaar Attorneys, says there will be operational and reputational benefits for companies that comply. She adds that companies need to do what is reasonable to comply with the pending law, but can use it as an opportunity to get rid of unnecessary data.
SA's privacy law is the first consolidated piece of privacy legislation in the country, and dictates how, and for what, personal information can be used. It also dictates how data must be stored securely, and forces companies to tell people if their information has been breached.
The Bill also seeks to regulate direct marketing and unsolicited communications, and should cut down on spam, as it specifically speaks to electronic communications, and calls from telemarketers. SMSes and e-mails account for the bulk of spam.
Non-compliance carries hefty penalties under the proposed legislation, with fines of as much as R10 million for breaches. Non-compliance also carries the risk of reputational damage, which could lead to companies losing customers and failing to attract new ones, which De Stadler says is the biggest risk.
"People care about their personal information."
De Stadler says the principles in the legislation include that companies must examine what information they have relating to customers and potential customers. If there is no good reason to possess this information, they have to dispose of it properly, she adds.
In future, there must be a specific reason why information is collected, and this must be for the purposes of the transaction, says De Stadler. People can ask for what purpose their information will be used, she notes.
Look to Europe
The law, which has been a substantial amount of time in the making, is based on the European data protection directive. De Stadler says, because of this, there is already much information available that will help companies comply.
Once the Bill is inked, companies will have about a year to get their houses in order. A recent ITWeb/Deloitte PPI Bill Survey showed that 41.11% of respondents had not yet started complying with the PPI Bill.
De Stadler says South African companies have been quite lax about looking after personal information, and those that are already compliant are likely to have offices in Europe. She says it is expected that whatever applies in Europe will apply here.
Companies will face a once-off cost to sort through their data and determine what they have, what should be kept, and what should be disposed of. Disposal must be done properly to avoid criminals being able to dumpster dive, while information that is kept needs to be secured, she adds.
Tools are available online for smaller companies, to assist them in complying, such as information provided by the UK's Information Commissioner's Office, says De Stadler. She adds that compliance need not be costly, and will depend on the sensitivity of the information.