Unsure of the issues

“South Africa has some of the best governance principles in the world in King III,” says Jayen Vyravene, MD of Quency. “Yet local legislation dealing with IT governance compliance is not well defined.”

Not only does local information legislation cause confusion in the industry, but many companies choose not to comply, as they feel the laws are not well enough imposed.

“The intention of these laws is to protect information assets, but current legislation is very loosely enforced,” says Hedley Hurwitz, MD of Magix Integration.

“There is an arrogance in the business world that new laws will not be enforced,” says Bryan Balfe, business development director at CommVault Systems. “Compliance is easy to push for where the penalty is jail time. The US legal system has this. So has Europe. One step out of line in the compliance department and you'll pay the price - literally. In SA, we don't have such legislation yet. Our ECT Act lacks the bite to match its bark and has not motivated companies to tackle compliance any more seriously in the last three years.”

Despite this view, warns Vyravene, it is becoming increasingly important to adhere to compliance pertaining to corporate data. “This is not only because it is compulsory when dealing with many international organisations and because inevitable legislation in South Africa will be implemented, but because information has become a company's greatest asset in the new business landscape,” he says.

According to Ramjith, business is not conducted in the same way as it was 20, 10 or even five years ago. “For example, e-mails have become legally binding and one can now be held accountable (and liable) for claims made on social media,” he says.

“There is a disconnect between achieving compliance and the benefits it provides,” says Hurwitz.

“In most part, businesses fail to see the benefits to compliance. Larger corporates feel they are obligated to adhere to the various laws and governing principles that affect IT, but they need to realise that it also provides a tool to manage business in future.”

“There is a need to dispel the myth of compliance,” explains Ramjith. “Achieving compliance is generally seen as such a massive undertaking, but it is not necessarily such a big thing.”

“It is highly likely that most companies can use what they already have,” says Balfe.

“In many cases, paying a fine has been viewed as the easier option compared to taking on such a huge project,” he adds. “With more penalties than simple fines, this is changing.”

Vyravene believes a big driver for compliance is disclosure.

Balfe believes the Protection of Personal Information (POPI) Bill will set things straight. “The Information Commission assigned to this Act will have teeth,” he says.

“A number of laws in South Africa are not properly regulated, which definitely leads to organisations not complying,” says Gerrie van Gaalen, partner at Van Gaalen Attorneys. “However, all organisations should know that not complying with an Act as important as POPI could lead to reputational risks, which is sometimes a more expensive exercise than a penalty or fine.”

Balfe explains that although some of the bigger organisations have been trying to interdict POPI, the ministers involved are adamant that the law is being passed as planned.

“The legislator has drafted the POPI Bill with reference to certain legislation, such as the 1995 EU directive on data protection and the Data Protection Act 1998 of the UK, with the intent that once implemented it will be regulated in a similar manner,” explains Van Gaalen.

He says companies should realise that consumers will only do business with organisations they can trust. “An organisation that fails to comply with the approaching POPI Act will lose its customers and eventually see a drop in its share price,” he says. “Again, this may be more detrimental than a fine.”

Furthermore, Balfe believes there is a growing appetite in the media to expose companies for non-adherence to legislation. “POPI is going to potentially provide the media with a lot of story material,” he says.

According to Trevor Ndobela, MD of Quarphix, it was due to local financial legislation, like the National Credit Act, that SA managed to survive the economic meltdown reasonable unscathed.

“The impact of the financial downturn on SA was minimal compared to the US, for example. This was due to some of the legislation that was enforced way ahead of the last two years that helped cushion us during the crisis,” he says. “This needs to take place in IT.”

Although GRC in SA is still relatively immature, there will be a dramatic increase in maturity over the next few years, says Vyravene. “There has been a strong interest in GRC recently, especially over the last two months,” he says. Widespread adoption, he believes, will see corporate cultures increase in honesty, trust, and awareness.

1. First of all, the POPI is not limited to companies, but will be applicable to natural persons, juristic persons, an administrative body or any other entity.

2.The Act will create additional obligations for all above organisations that deal with personal information (automatic - and non-automatic processing of PI).

3.Organisations must now act and execute the necessary information classification to establish whether they actually deal with PI and then to label same for internal purposes.

4.Organisations will now have to process PI in accordance with specific principles. Each principle entails a variety of obligations and actions to be executed by an organisation processing PI, ie:
a. To obtain consent from the data subject;
b. To explain to the data subject what information is collected;
c. To explain to the data subject the purpose of collecting PI;
d. To adhere to certain retention periods;
e. To fully disclose the organisation's details AND details of any third party that may act on behalf of the responsible organisation process PI (ie, in cloud computing scenarios);
f. To notify to the Commission that the organisation is collecting PI;
g. To identify information risks and mitigate those risks accordingly, ie, implement security safeguards;
h. To execute the necessary due diligence on third party service providers that will process PI on behalf of the organisation;
i. To notify information breaches to the Commission and data subject in a certain manner; and
j. To allow the data subject access to his/her PI.

5. As a result of the above, organisations that deal with PI will have to make changes internally to ensure they can deal appropriately with PI. Organisations will have to amend their current internal policies so that its own employees understand the risks and how to manage PI, and will have to amend their current agreements with customers and privacy policies presented to customers. Organisations will further have to implement appropriate security measures or appoint an appropriate third party to execute security measures on its behalf. However, the latter will not eliminate the organisation's accountability to deal with PI.