PoPI: It’s time

The Protection of Personal Information (PoPI) Act has undergone several iterations, deadline shifts, changes in approach and regulatory refinement since it was first passed on August 20 2013. Since then, the regulations and the regulator were defined in 2014; in 2015, nominations for candidates kicked off, and in 2017, public comment was invited. In 2018, final regulations were published in the Government Gazette, and the Act finally took effect on July 1 2020. Full compliance is now required in exactly a year: July 1 2021.

Some companies are adopting the wait and watch approach, while others are looking at the headlines and wondering where to start. Both should take it seriously. The office of the Information Regulator, headed by Advocate Pansy Tlakula, seems to be taking a proactive stance, which may mean nasty surprises for those that aren’t prepared and, what company doesn’t want to be capable of competing on the international stage when it comes to privacy and protection? Privacy regulation has become a global standard, with more than 120 countries offering up their own variations of the industry standard, the General Data Protection Regulation (GDPR) in the EU. From Brazil to India to China and even the US, regulations are cementing how information is stored, managed and protected, so why be left behind?

“One of the rationales for implementing PoPI was to remove the barrier to trade caused by South Africa not having adequate data protection legislation in place,” says Sián Fields, consultant attorney at Reynolds Attorneys. She explains that this meant the flow of personal information to and from South Africa, the EU and UK, would have been prohibited unless specific contractual clauses were agreed, as mandated by GDPR.

“PoPI is based on global data privacy principles, and in that way, aligns with the global approach to data privacy. The ethical and transparent processing of personal information is imperative,” says Leishen Pillay, cyber data privacy lead at Deloitte Africa. “Even in the absence of PoPI, data privacy remains fundamental, and the right thing to do.”

PoPI unlocks value for the organisation and its stakeholders. It ensures compliance that engenders customer trust, enhances a company’s cybersecurity strategy, and ensures data discipline and quality. It cements foundations in data efficiency and standardisation, and delivers increased data asset value. There may be plenty of compliance boxes to tick for PoPI, but they offer up as many advantages as they do admin and complexity. And there are quite a few boxes.

One of the rationales for implementing PoPI was to remove the barrier to trade caused by South Africa not having adequate data protection legislation in place.

Sián Fields, Reynolds Attorneys

According to Danie Strachan, partner and attorney at Adams & Adams, the business should have: selected an information officer who will be registered with the Information Regulator; determined whether they need prior authorisation from the regulator to process certain types of information in certain situations; have a clear and comprehensive privacy notice; concluded written agreements with service providers and other third parties that process personal information with the business; assessed the changes that need to be made to direct marketing activities; and have determined whether it transfers any personal information across South Africa’s borders and their compliance to PoPI in this regard.

Says Fields: “At a minimum, the business should have a defensible compliance position to be able to demonstrate that it is not ignoring the legislation and has taken basic steps to achieve the minimum level of compliance.”

The easiest first step is to ensure that basic documents are in place. These involve implementing policies around data privacy and security, both internally and externally, and in ensuring that the relevant PoPI compliance clauses are embedded in third-party and customer contracts. Then, before you panic about the weight of the To Do list, undertake an assessment of the data that the organisation processes and how it is processed. Dig deep into the systems that you use and unpack precisely where the information lies, who has access to it, what it’s used for, and how these parameters are influenced by PoPI.

Do an inventory of systems and data locations with sensitive information in scope for PoPI with clear data retention policies.

Simeon Tassev, Galix

This is the bare minimum that should be understood, right now, to ensure that the business is on track to achieve compliance.

“Data is the golden thread for so many aspects of business today, so it’s essential that it’s governed, protected and correctly used to unlock its value,” says Colin Erasmus, Modern Workplace Business Group lead at Microsoft South Africa. “It can be cumbersome for the organisation to identify and understand the data, but failure to do so will make it difficult to protect and to ensure compliance.”

It’s not just technology tools, assessments, investments, checklists and admin; compliance is a change in mindset and culture. Companies need to train their people so they understand the why of PoPI, and the how of data management, governance and protection. This mindset not only shapes compliance, but goes a long way towards entrenching security into every layer of the organisation. People are the weakest link. And even if the business is as compliant and dedicated as can be, a breach or exploited vulnerability has long-term financial and reputational consequences. So, put training in place, and not just documents and checklists.

As Ilonka Badenhorst, managing executive at the Wireless Application Service Providers’ Association (WASPA) says, data privacy is good governance and should be taken seriously.

“Data is a commodity. We’re not acting in isolation; we are part of global best data practice.”