POPIA will put data privacy front and centre
As the enforcement of the Protection of Personal Information Act (POPIA) draws nearer, organisations that are ill-prepared to meet its requirements should start taking steps towards adopting proactive compliance.
This is according to Zaheera Ahmed, group head of data privacy at Absa, speaking this week at the ITWeb Governance, Risk & Compliance 2020 event in Bryanston, Johannesburg.
Delivering a presentation in her personal capacity, titled: “Privacy in the age of digital transformation”, Ahmed explained the fourth industrial revolution has had a significant impact on data privacy,by introducing pervasive use of technologies to track, store, analyse information and profile consumers, leaving them exposed to more risk elements.
On the other hand, the digital era, she added, enables organisations to develop a more agile approach to meeting regulatory requirements, through the use of data. Therefore, organisations should ensure that building consumer trust remains a fundamental imperative.
She emphasised the role of POPIA in addressing data privacy issues to ensure all South African firms conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information by holding them accountable, should they abuse or compromise personal information in any way.
“In the digital era, organisations need to incorporate transparent privacy policies into their building blocks in order to actively empower their customers. As South Africans, privacy has been at the top of our minds since the advent of POPIA.
“Advocate Pansy Tlakula, the information regulator, has written to the president, asking him to sign POPIA into commencement before the end of quarter one. What this means is that, hopefully, by 1 April, we should have the enforcement of POPIA. While there is a chance this deadline could be extended, organisations should prepare themselves for its compliance requirements.”
POPIA was signed by then president Jacob Zuma on 19 November 2013 and published in the Government Gazette on 26 November 2013.
After the commencement date, a compliance grace period of 12 months will exist, providing organisations with time to meet compliance requirements.
Ahmed noted that some local organisations are still grappling with meeting basic compliance obligations, particularly technology-focused requirements.
“Some South African organisations are really struggling with basic compliance and regulation requirements of POPIA, while others experience challenges with automating certain controls and tasks that could possibly assist them with compliance. These include managing incidents on a daily basis and dealing with daily client complaints.
“Developing and managing a central repository to observe and analyse data-related trends is another challenge facing organisations.”
The main reason some organisations are struggling to meet POPIA compliance requirements is because they view the data regulation as another regulatory burden, instead of viewing POPIA as designed “in the good spirit of the law”, and in turn also helping them to create a data strategy that will guard against risks, according to Ahmed.
When POPIA is in full force, businesses that don't comply, regardless of whether it’s intentional or accidental, can face severe penalties. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
“The way we process information today regarding things like profiling individuals often goes beyond what is acceptable by regulation. In the digital age which brings many complexities, organisations should also take a more ethical approach to privacy rather than stick to a single regulatory approach.”