POPIA makes SA CEOs more accountable
Following a three-month delay due to coronavirus – and more than seven years after its enactment – the Protection of Personal Information (POPI) Act has finally come into force.
The aim of POPIA is to ensure that those who collect and manage personal information are obliged to protect it from misuse and exploitation, as well as to respect the rights of information owners.
CEOs and organisations in South Africa who flout the regulations run the risk of fines and/or imprisonment.
The government has given businesses until 1 July 2021 to conform to the legislation, but the clock has started ticking and the time for IT departments to act is now.
What, in the main, is POPIA looking to address?
- The conditions for the lawful processing of personal information.
- The regulation of the processing of special personal information.
- Codes of conduct issued by the Information Regulator.
- Procedures for dealing with complaints.
- Provisions regulating direct marketing by means of unsolicited electronic communication.
What does this mean for businesses?
Up until now, businesses have regarded compliance as preferable, but not necessarily essential. This is no longer the case.
Although the POPI Act continues to be put into operation incrementally, the latest legislation provides more bite to protect consumers.
Public and private bodies are obliged to use the one-year grace period to take all relevant steps – or risk the imposition of sanctions and reputational harm if they are found to be non-compliant?
Many global organisations, mindful of their obligations under the EU’s General Data Protection Regulation, will already have implemented at least some of their requirements under POPIA.
However, others will need to review and refine policies set up to ensure data protection compliance.
How should organisations ensure they are compliant?
Start by conducting an assessment of data processing activities to establish the level of POPIA compliance and identify any gaps.
Scrutinise the flow of personal information, both within your organisation and with third parties, focusing on measures to prevent unauthorised access to personal information.
This should include staff training, updates on policies and procedures and a full review of all customer, supplier and third-party agreements, relating to data privacy.
Establishing a data breach/incident response plan and policy cannot be overlooked – neither can the management of subject access requests, which are likely to increase in number.
The POPI Act gives individuals more power to access any details held on them, and complying with subject access requests can put considerable strain on already stretched IT resources.
What are the penalties for non-compliance?
The POPI Act will hold companies to account when collecting, processing, storing and sharing personal information.
Penalties for non-compliance include fines of up to R10 million and a jail sentence of up to 10 years.
LogBox, a South African medical data start-up, announced within a week of POPI taking effect that a report would be filed with the new Information Regulator after the company’s database containing access keys for thousands of patient records was briefly exposed to potential hackers.
What should organisations look for in a solution or service to help comply with the POPI Act?
To mitigate against the risk of unauthorised access, deploy a solution that encrypts all data before it leaves its primary location.
By ensuring you choose the encryption key, you can be certain that not even the backup provider is able to read the data.
Using TLS ciphers during cloud and offsite backup communication enhances security further.
When deciding how best to protect your data, also consider whether your provider goes that extra mile, offering search and insight to assist with subject access requests.
Organisations will be able to save a lot of time and money if they have the capability to:
- Discover, search and action data from any device via an intuitive Web interface.
- Easily evidence compliance – including the requirement to securely erase files from within backup and archive environments.
- Search all live, backup and archived data with a full audit trail.
- Restrict permissions, track search sessions and monitor data deletions.
Many South African businesses admit they do not even have record management in place. This leaves their CEOs accountable for non-compliance after POPIA’s one-year grace period. There is no time to lose.
Redstor, a cloud-first data management SaaS company with headquarters in the UK, has extensive experience of helping organisations address the challenges of GDPR.
With a unique technology developed in South Africa, Redstor is perfectly placed to provide solutions for the challenges businesses now face with POPIA.