POPI set to be a 'rude awakening' for SA businesses

Read time 3min 00sec
Okyerebea Ampofo-Anti, partner in the commercial litigation department at Webber Wentzel.
Okyerebea Ampofo-Anti, partner in the commercial litigation department at Webber Wentzel.

South African businesses are in for a rude awakening once the country's Information Regulator (IR) takes up its role as enforcer of the Protection of Personal Information (POPI) Act.

This is according to Okyerebea Ampofo-Anti, partner in the commercial litigation department at law firm Webber Wentzel.

Speaking at the ITWeb Security Summit 2018, happening at Vodacom World in Midrand this week, Ampofo-Anti warned the regulatory body will be very eager to flex its muscle when the POPI Act comes into force in its entirety.

Making an example

"It's important for companies in South Africa to consider that our Information Regulator is going to be looking for someone to cut their teeth on, they are going to be looking for a 'nice example' to demonstrate to the rest of the market what it is they are capable of doing and what they want to deter. You don't want your company to become that example. If you've got a name like MTN or Vodacom you are going to be one of the potentials. If you've got the resources to make sure that data breaches do not happens there will not be a place to hide when the regulator comes looking for you."

Ampofo-Anti believes the lack of awareness of cyber security threats in South Africa means the first sanctions from the IR will have dire consequences for those involved, as too little is being done in preparation for the full implementation of the POPI Act.

"The most important aspect of POPI from a cybersecurity point of view, is condition number seven, which deals with security safeguards. Not only does it place a burden of responsibility on the so called 'responsible party' to ensure the integrity and confidentiality of the personal information in its possession, but it also ultimately requires you to be proactive, to identify the reasonable foreseeable internal and external risks, to establish and maintain appropriate safeguards."

Ampofo-Anti advised that though the IR cannot do anything at the moment as the Act is not in force (except for the part that establishes such a body), their powerlessness for the time being should not lead anyone to ignore the risk of a data breaches.

"The bottom line is that you need to be ready. Cyber reliance means building a business that incorporates the actual level of the threat that your business is currently facing, a business that is able to survive a cyber incident and not one that will never have a cyber security incident as that is impossible. From a legal point of view, the bar of what is reasonable is clearly being raised and you need to ensure that you are not found wanting."

Preparing business

Ampofo-Anti believes the IR can do more to prepare business for the full introduction of POPI.

"If I were the regulator, I would be spending my time creating guidance notes. That is what they should be doing for different industries, indicating how they will interpret certain things as that would enable us to get on with our compliance preparations."

Login with