How to navigate through the maze that is POPIA
With the newest data privacy law in South Africa, POPIA (Protection of Personal Information Act), now having taken effect, the race continues for companies to ensure that they adhere to this important piece of legislation.
But what is POPIA? While many have heard about POPIA, also known as the POPI Act, some are unsure how it impacts their organisations’ operations. The Protection of Personal Information Act, which is South Africa’s equivalent of the EU’s GDPR, sets out to protect its citizens’ personal information from cyber crime and other misuses. It sets some conditions for organisations to responsibly and lawfully process specific data that can either identify a natural or juristic person – such as identity or telephone numbers – or contains confidential information, such as financial history or private e-mails.
POPIA is important because it aims to protect people and organisations, called ‘data subjects’ in the Act, from harm, such as identity theft and fraud, by protecting their personal information. The risks of non-compliance include reputational damage, fines and imprisonment, and paying out damages claims to data subjects. The biggest risk, after reputational damage, is a fine for failing to protect account numbers.
The most significant impact is on organisations that process lots of personal information or highly sensitive personal information called special personal information, such as children’s information and account numbers. The most affected industries are financial services, healthcare and marketing.
South Africa-based specialist IT governance and architectural services company, AVeS Cyber Security, says many companies are left feeling paralysed because they do not know how to approach or navigate the maze that is POPIA. Group CEO Charl Ueckermann says that while the process can be intimidating, it is vital for both consumers and businesses in the fight against cyber crime.
"The latest statistics indicate that impersonation fraud has increased by 337% in 2020 in South Africa. Fraudsters are good at impersonating consumers and representatives of the financial institutions that consumers belong to because they have access to huge amounts of data that provide the personal information needed to perpetrate this kind of fraud. The protection of personal information is becoming a major issue, and POPIA is a critical element of curbing these practices," Ueckermann explains.
But where to begin, and will every company and organisation be able to comply? Ueckermann says it’s improbable that all companies would have complied by 1 July 2021; the goal should rather be to make a reasonable and ongoing effort.
"There is no such thing as being POPIA-compliant, as POPIA compliance is a journey rather than a destination. However, every organisation should make sure that they take reasonable precautions to collect, distribute, use, save and get rid of someone’s data. If the Information Regulator ever approaches you with a data breach or POPIA-related complaint, you would need to show that you have taken all reasonable steps necessary to prevent the data breach from happening. It is, therefore, critical to get your ducks in a row proactively," Ueckermann says.
Ueckermann says companies such as AVeS Cyber Security specialises in assisting companies to become ‘POPIA-ready’. He says the first step is to get a thorough assessment of a company’s current status quo. The assessment deals with issues such as its current status of POPIA requirements, how it processes both personal information and special personal information, the existence of an information officer, prior authorisation of data processing, rights of data processing and trans-border data storage.
"We have two assessment methods, the first being an online assessment, where clients can go through the questionnaire at their own time and pace. Once completed, they will receive a report that scores their current POPIA-readiness level and identify areas where they can improve. However, the report does not tell you what steps to take next or how to prioritise areas that need improvement, and this is where you need to call in the professionals. Secondly, there is also an onsite assessment that larger companies prefer and takes about a week to complete. This enables us to put a focused roadmap together that encompasses people, process and technology, getting them POPIA-ready in the shortest amount of time possible," he says.
Ueckermann says the self-assessments option costs R6 999 (excl VAT), while an onsite assessment ranges from about R65 000. He says the implementation of all the steps to become POPIA-ready can take between four to 12 months.
"There is no quick fix or shortcut to becoming POPIA-ready. You need to put in the work to avoid putting yourself and your organisation at risk of non-compliance."
Ueckermann says the following checklist can come in handy to gauge whether you are POPIA-ready and where you would need help:
- Appoint an information officer in writing, unless this person is the CEO, in which case the appointment is automatic.
- Register the information officer on the Information Regulator’s website and get your certificate of registration.
- Draft or update your POPIA policy and practice manual.
- Draft an incident response plan that will set out the procedure to follow when personal information under your or your operator’s management and control is compromised.
- Set up training sessions for managers and staff who process PI and have them sign an attendance register.
- Ensure your section 51 PAIA manual is available on your website.
- Identify all operators as defined in the Act and ensure you enter into or obtain their contractual terms regarding POPIA.
- Ensure that you make provision for data subject participation. Remember that POPIA gives all previous, current and past suppliers, employees and clients or customers the right to participate in their data.
- List all systems, technologies and programs you use and have your IT department give written assurance that all is in order, such as firewalls, anti-virus programs, user access, back-ups and encryption.
- Design an impact assessment matrix that requires each function to identify the processes they follow that include personal information. Then ensure the systems and staff conduct are up to scratch.