Don’t get caught out by POPIA
What South African companies can learn from GDPR preparation.
On 1 July 2021, the POPI Act came into full effect, granting South Africa’s new regulatory authority, the Information Regulator, enforcement powers. This means that organisations that don’t comply may be charged with penalties of up to R10 million, or imprisonment for a period of up to 10 years.
And a reminder that this includes any private or public body, that in the process of offering goods or services, collects and/or processes personal data.
One would assume that the threat of these significant penalties would’ve encouraged all South African businesses to be prepared and compliant by the end of June 2021. The fact is that many organisations are still open to potential risk of non-compliance.
It is not a case of deliberately not wanting to comply, but that becoming POPIA compliant is a complex undertaking.
South Africa is not the first country or region to go through this exercise. Three years ago, in May 2018, the EU’s new General Data Protection Regulation (GDPR) came into effect. Since then, some well-known companies have been fined significant amounts for breaches. Some of these included:
- Amazon was fined $886.6m (R12.8m) for alleged data law breaches in relation to European Union data protection laws.
- H&M was fined €35.3m (R605.7m) for illegal surveillance of hundreds of employees, including keeping “excessive” information on the families, illnesses and religions of those involved.
- Google was fined €50m (R857.9m) by the French data regulator CNIL for breaching the EU’s data protection laws. The regulator commented that it based these fines on a "lack of transparency, inadequate information and lack of valid consent regarding ad personalisation".
So the case for being compliant and not risking significant fines is clear. Proceed Group has been helping organisations for many years with getting their operations compliant with personal information Acts such as GDPR, with a special focus on ERP systems, such as SAP.
We have found that in addition to getting compliant, there are other benefits.
Improved business reputation and customer loyalty
Major data breaches make international headlines and impact your business reputation. In fact, it goes further than that. According to a report done in the US by FireEye, 76% of respondents would take their business elsewhere when a company has shown negligence in their data-handling practices. Making sure you are POPIA compliant demonstrates to customers that you are a trusted partner.
More accurate data
By implementing processes in accordance with POPIA, you will in turn improve the quality of your data. Through customers having greater transparency and ability to provide correct information, it has shown to improve the overall quality of data, leading to better decision-making.
We have found that through working with customers to implement data governance, and especially looking at historic data, not only do they gain operational efficiencies, there is also a case to be made for cost savings. For example, when looking at the retention of personal data – by only keeping data as long as needed, customers can make savings through database reductions.
Paul Wood, Nordics Regional Lead at Proceed Group, commented: “We have found that in many cases, customers have been pleasantly surprised by the outcome of doing a data governance project. They have stated that not only did they learn a lot about the risks and issues associated with compliance (in most cases related to GDPR), they were also impressed how this process tidied up in-house data processing and that it resulted in them being more efficient businesses.”
What if you have not started the journey?
Proceed Group worked with many companies when they were getting ready for GDPR in 2018. It did not stop there and we are still doing large-scale compliance projects with customers in 2021. We can see the same happening for POPIA. Based on our experience, the sooner you address this, the better.
Graham Mead, Commercial Director at Proceed Group, commented: “Not having a GDPR/POPIA plan and not managing that plan means you will create your own ticking time bomb that could destroy your commercial reputation and hit your bottom line.”
The POPIA is not a piece of legislation where compliance can be achieved and then forgotten. Meeting the requirements of the POPIA requires a re-engineering of business processes, continued vigilance and ongoing audit.
As the leading expert in POPIA consulting and technologies which are key to achieving and maintaining POPIA compliance, Proceed Group has developed a handbook to highlight a pathway to compliance and headline areas to investigate.
Click here to download the handbook.