Where to from here for the Information Regulator?
The Information Regulator is a key part of the Protection of Personal Information Act (POPI) compliance and will also be central to PAIA implementation. The five members of the Regulator have been appointed, and the Regulator given the go-ahead to establish the office. The strategic plan of the Regulator shows however a number of flaws, which may well result in the office being delayed in beginning work. In addition, there are problems with the DPSA and Treasury.
ITWeb Events spoke to Alison Tilley, attorney and head of advocacy, Open Democracy Advice Centre about the process of implementing the information regulator: the schedule and the challenges. Tilley will be a speaker at the ITWeb POPI Update II 2017 on 21 November.
ITWeb Events: The Information Regulator is a much-debated topic of conversation. Could you clarify what it is, and what is expected of it?
Tilley: The Information Regulator is the institution responsible for enforcing POPIA and PAIA. The regulator will issue fines and other penalties for responsible parties failing to protect personal information.
ITWeb Events: What are the implications of non-compliance according to the Act, how will the IR manage this oversight?
Tilley: The important penalties to be aware of are if a responsible party fails to protect account numbers, they may liable to pay a fine of up to R10 million or face imprisonment of up to 10 years. Also, data subjects may bring claims for substantial damages if a responsible party fails to protect their personal information. The Regulator also has order powers for the release on information requested under PAIA.
ITWeb Events: What stumbling blocks do you expect, in your opinion, will be the biggest hurdles for the Regulator?
Tilley: The primary stumbling block we have identified is that the Regulator has been unable to advertise for and hire staff. They have four staff who have been seconded to them by the Department of Justice (DOJ), which includes an acting CEO and admin assistance. This is obviously wholly inadequate in terms of the mandate they have, and leads one to think that they will not be in a position to begin work in March as they appear to have hoped. The delay in appointing staff is apparently not with the DOJ but rather with the DPSA, who have cavilled at signing off on the staff they want and pay grades, and Treasury.
ITWeb Events: Why, in your opinion, are many organisations employing a 'wait and see' attitude when it comes to POPIA?
Tilley: The level of compliance will be determined by the level of enforcement implemented by the regulator. Unfortunately, business generally must see a cost for failure to comply before they spend money on compliance. This drives up the level of regulation, and consequent costs. I also think POPI has been overhyped as a major compliance issue, and business is just not prepared to spend what consultants are suggesting they must.
ITWeb Events: What is the first question that most clients ask when engaging you in conversation on this subject?
Tilley: What do I have to do right now? And what happens if I don't?
ITWeb Events: Why did you say yes to presenting at the upcoming POPI Update II? What is it that you bring to the table and what do you want attendees to take away with them after your presentation?
Tilley: The implementation of the Regulator is my major concern. I want those present to focus on getting word to the regulator that they need them up and running. The more pressure the better.