BUSINESS TECHNOLOGY MEDIA COMPANY
Companies
Sectors

Compelling reasons for SA firms to comply with POPIA

Where does the Protection of Personal Information Act come into the data privacy picture for South African businesses?
Read time 4min 00sec

The Protection of Personal Information Act (POPIA) and General Data Protection Regulation (GDPR) have similar intentions towards data privacy.

POPIA was legislatively passed in 2013 but is not yet enforced. One source guestimates POPIA’s effective date will be around 1 June 2020. Thereafter, a likely two-year grace period will apply and will end on 1 June 2022.

Organisations needing to comply with both would probably do well to get their GDPR ducks in a row first, as they may glean valuable insights that can be applied to their POPIA compliance endeavours.

It is concerning to note that only 34% of South African organisations are reportedly ready to comply with POPIA. This probably begs the question: what are the compelling reasons for local companies to comply with POPIA if it will only be enforced in three years? To add to that, POPIA is already many years behind schedule, so why should anyone bother about it now?

The answer is both simple and obvious – criminals aren’t waiting for POPIA to take effect before they try to crack your systems. Therefore, compliance benefits apply to data-security-enhanced operational efficiencies. Another reason to bother with it at this stage is the size of the fines!

Whose responsibility is it to ensure compliance?

The answer to this question is not to make the mistake of laying it all on the shoulders of security and risk managers. While they are key players, the liability is not solely theirs – business process owners are also responsible.

The legislation recommends appointing a data protection officer to manage data privacy obligations and serve as a point of contact with the regulatory authorities and the European Commission.

The clear message behind GDPR and POPIA is that responsible data protection is no longer a choice but a legislative requirement.

GDPR has completely remodelled the way in which organisations across the region approach data privacy. It reshapes the way in which sectors manage data and redefines the roles of key – C-suite – business leaders.

Chief information officers now need to guarantee they have watertight consent management processes in place, while chief marketing officers require effective data rights management systems to be in place if they are to ensure they don’t lose legal usage of their most valuable asset – data.

The clear message behind GDPR and POPIA is that responsible data protection is no longer a choice but a legislative requirement. The penalties associated with non-compliance represent a pressing business need to take data protection seriously, as the monetary motivation is often more powerful than ethical or operational motivations.

The impact of these new regulations has undoubtedly been in favour of data subjects (the general person), as data controllers are now obliged to provide access to data in line with data subject rights outlined in the regulations.

Consider how the introduction of GDPR led to 62% of London businesses seeing an increase in data subject access requests. We have also seen a raft of new granular consent features being introduced by the biggest tech companies, which further empowers data subjects.

CNIL, the French data protection authority, imposed a €50 million fine on Google based on its lack of a valid legal basis to process most of the personal data they hold on French citizens. Smaller organisations are taking note and improving their practices and transparency across the board.

Where to begin?

Building a strong data protection framework always begins with executive-level commitment to the concept of privacy for both the organisation and its customers.

Having established the strategic commitment, an organisation can begin implementing standards-based frameworks such as ISO 27001, which provides excellent resources and a respected community with which to engage.

It is important to ensure data protection officers are empowered to implement, as well as maintain, the data protection framework with the right security toolset. That said, data protection will always be an ongoing exercise.

The bottom line?

Essentially, as I said at the outset, compliance is no longer a choice.

Data security should not be taken lightly by organisations of any size – it applies across the board, from local hobbyist clubs through to global enterprises.

Organisations must ensure they have the necessary data protection framework in place and that employees are aware and trained in the security requirements of the organisation.

As it is a specialised arena, organisations would be well-advised to consult with data security experts to help guide them through a potential mine field of fines, and in turn, loss of reputation and business, due to non-compliance. 

Gregory Dellas

Information security specialist working for CA Southern Africa

Gregory Dellas, CISSP, is an information security specialist working for CA Southern Africa since 2018. He is a former EU-GDPR practitioner and draws knowledge from having consulted in multi-disciplinary security roles for over a decade in the broader IT industry.

See also