Think you're ready for POPI?
What companies must do to prepare for the Protection of Personal Information Act.
The Protection of Personal Information Act (POPI), enacted in November 2013 and soon to be implemented, is a far-reaching piece of legislation set to affect the business practices of any company that keeps or processes the personal data of any citizen.
In a world where companies that are less respectful of privacy may collect and sell user data to third parties, the government is serious about giving individuals full control over their own information and online presence.
Parliament has signalled its intention to furnish POPI regulators with a sharp set of teeth: penalties for being found out of compliance with POPI can include fines of up to R10 million, and up to 10 years in jail. To avoid the ire of regulators, as well as to steer clear of civil legal issues and reputational risks, companies must understand how POPI requires them to handle information, and how to implement the proper technology solutions to put themselves in compliance with the law.
What POPI requires
POPI includes a number of stated requirements, and each must be fulfilled in order for a company to remain in compliance with the law. POPI's provisions require companies to define the purpose for which they collect an individual's personal information, and inform the individual of what that purpose is. If a company wishes to process collected personal information for a use outside of the original stated purpose, it is required to obtain additional consent from the individual. Individuals may legally object to having their information processed, and they have the right to request access to their information and to have their information corrected or removed.
Companies are responsible even if they transfer the information to another company for processing on their behalf. An individual's collected personal information must be complete, accurate and kept up to date.
Companies must have an information retention and destruction policy in place in order to fulfil POPI's requirements of how information is handled. Personal information must be destroyed once it has achieved the original purpose for which it was collected.
And finally, companies are required to have specific security measures for maintaining the confidentiality and integrity of personal information in their possession, to regularly monitor and update such information, and to notify regulators and affected individuals in the event of any data breach.
Ready, set, go
Nearly every company out there will be affected by POPI, and should closely examine the information they keep to know where the provisions in POPI may apply to their business practices. Companies in industries such as healthcare, insurance and finance, which can deal with sensitive personal information as part of their everyday operations, should take special care to ensure the information kept is handled appropriately. It's true that POPI treats some kinds of more personal data as 'special information' - such as the facts of a person's religion, political views, or health status - and this information is granted even stricter protection under the law.
After a company has taken inventory of the personal information it has collected, it should commence with the process of safeguarding or destroying that data to keep in compliance with the law. Data that remains needs to be stored in an encrypted format to protect it from data breaches.
To be prepared for requests to remove data, companies should develop or seek out IT solutions for securely encrypting data while they hold it - and for eliminating data quickly and reliably when finished with it - even across all the various hardware and devices within the company.
Parliament has signalled its intention to furnish POPI regulators with a sharp set of teeth.
Secure, cloud-based solutions can be valuable for granting IT administrators an overview of where data rests within a company, as well as convenient controls for ensuring data placed onto new devices is encrypted and safeguarded as the law requires. Cloud-based systems can give organisations visibility into its inventory of mobile devices, and the ability to remotely enforce security measures beyond encryption alone.
Remote data access control, device quarantine, full data wipe and revocation of authentication are security measures that complement the safeguards of encryption. Further, businesses can rely on these tools for notification of risks and reporting mechanisms to demonstrate secure data practices to auditors and regulators.
The POPI legislation presents a new era of personal privacy for individuals and a few challenges for companies that need to adapt to meet the requirements of compliance. With that all said, POPI presents businesses with great opportunities too. Companies that acquire the right tools to make the transition smoothly will be positioned to present themselves as trustworthy and competent caretakers of personal data, and will do themselves a service as a newly empowered public makes choices around who they allow to handle their private information.