POPI and EU GDPR: do businesses actually get it?

Companies should be investigating content management platforms that manage and protect their enterprises, says Lenore Kerrigan, country sales director at OpenText South Africa.

Johannesburg, 26 Sep 2018
Read time 3min 40sec

According to the findings of a recent survey from ITWeb and OpenText South Africa, 63% of respondents said their organisations have a strategic plan in place to meet the Protection of Personal Information (POPI) Act requirements, with exactly the same percentage saying they'd like to know how personal information is defined.

This kind of conflict is food for thought, says Lenore Kerrigan, Country Sales Director at OpenText South Africa, an enterprise information management solutions provider, and it is also the reason POPI is in such heavy debate across the country.

"An overwhelming majority of respondents understand that non-compliance of the POPI Act could result in fines of up to R10 million or even jail time," she says. "On the flip side, while the percentage figures were low, it is alarming to see that 17% of organisations do not yet correctly label their information for instant access, while 19% aren't sure if they have a plan to meet requirements, and that less than 42% of respondents have a content management solution in place for their business."

Businesses with relationships to EU markets are facing additional compliance issues. With the enforcement date of 25 May 2018, the EU General Data Protection Regulations (GDPR) is now putting South African businesses at risk, too. "Simply put, if your business doesn't comply with the POPI Act today, it likely doesn't meet the requirements for the stringent EU regulations.

"In order to discuss solutions to the challenges posed to business by the POPI Act and EU GDPR, one must first understand the Acts," says Kerrigan.

Local legal services provider, SEESA, sums it up quite succinctly: "The purpose of the POPI Act is to ensure all South African businesses conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information by holding them accountable should they abuse or compromise the third party's personal information in any way."

What this means for business is a vastly heightened level of accountability.

"Businesses must ensure compliance and it is up to them, as the responsible party, to ensure their staff comply and all reasonable steps are taken to ensure privacy. Gone are the days of simply processing personal information. Now, businesses will need to have consent to use data, the owner of this data will need to be told that their information is being used, and this information can only be used for an agreed on purpose and within a proposed timeline, after which it must be destroyed," explains Kerrigan.

"Businesses are no longer allowed to use a person's information for more than the purpose specified and it is up to them to ensure that all of this information is complete, accurate, not misleading and updated when possible."

When collecting data, business will now have to openly declare why they are collating it, what the purpose of use of this data will be, who they are collecting it for, etc, and all measures have to be taken to keep this data safe at all times, including stricter security measures to prevent data loss, damage, or unlawful access.

Lastly, all customers have the right to access their information on demand, find out who has access to it and request credible evidence as to where it came from. With GDPR, the 'right to be forgotten' adds an additional challenge.

"Put plainly, what this means for the 58% of respondents who do not yet have strategic plans in place to manage POPI regulations is that they could be in trouble, because without strict governance and a content management solution that monitors content throughout its life cycle (from creation/capture to archive/destruction), there is no alignment with the regulations put forward," says Kerrigan.

"With POPI and GDPR, end-to-end management of all information is required as soon as it is created, secured and consumed, and if they're not already, businesses should be investigating content management platforms that manage and protect their enterprises soon."

For more information, readers are invited to visit

Editorial contacts
1215 Media Nicole Spruijt
Login with