Start moving on privacy law now
Companies that have not paid attention to the Protection of Personal Information Bill need to do so now, but there is still a lack of clarity as to how the information regulator, which will be set up, will deal with breaches of the law.
South African companies can turn to international experience to gain an understanding of how the local regulator is likely to deal with issues, says Daniella Kafouris, senior manager and lead data privacy/PPI compliance at Deloitte Risk Advisory.
PPI, currently awaiting the National Council of Province's approval before being signed into law, is in its tenth draft and no regulator has been assigned yet, so companies are not sure what to expect, says Kafouris. She was speaking at ITWeb's Security Summit in Sandton this afternoon.
SA's privacy law, which may be enacted this year, is the first consolidated piece of privacy legislation in the country, and dictates how and for what personal information can be used. It also dictates how data must be stored securely, and forces companies to tell people if their information has been breached.
Non-compliance carries hefty penalties under the proposed legislation, with fines of as much as R10 million for breaches.
Data is important because it "is actually the new oil," says Kafouris. She says, the more refined it is, the more it is worth and - unlike oil - will not run out.
As a result, says Kafouris, there is a need for ground rules and the US, Europe and much of the globe have already put legislation into place. This harmonises access to information and its protection.
South Africa, although lagging, has been able to pick the best of the "bunch" for its own legislation, says Kafouris. She adds that once the office of the information regulator has been established, companies will have a better idea of how they will interact with it as, currently, there is no indication as to who the officer will be, or how the office will work.
Under the law, companies will need to develop information officers that will deal with data and privacy, says Kafouris. She says someone needs to be accountable, and a key question at the moment is who, and whether the function should reside with legal, IT or security.
Kafouris says that privacy officers are a different profession that needs to combine several skills sets, such as legal, IT security and public relations as they will deal with the public and be the company's face when information breaches have to be disclosed.
Companies will have to tell the information regulator when they process unique identifiers, information on credit or criminal backgrounds, and when special personal information crosses borders, says Kafouris. In addition, data breaches must be disclosed, which is at the core of the law as this carries with it a reputation risk, she adds.
The information regulator will take in complaints and determine whether to investigate further, which may lead to a sanction, says Kafouris. However, this is not yet clear, so local companies can look to international practices to gain insight, she adds.
The trend internationally is that the regulatory officer will probe and, if there is a situation that is contrary to the law, will give companies six months to get their houses in order. If they fail, they are likely to be fined, and biannual third-party audits are often also insisted upon, says Kafouris.
South African companies also need to be aware of international jurisdiction if they operate in other countries, says Kafouris. She adds that issues such as cloud computing must also be considered as companies may not even be aware of where their data is hosted.
What companies need to do now:
Align policies and processes.
Align roles and responsibilities.
Start the foundation of a incident management function
Appoint privacy officers
Start educating the organisation, clients and third-parties.
Start addressing gaps in current policies and procedures.