Don’t panic over POPIA

Johannesburg, 06 Oct 2020
Read time 4min 00sec
Mats Knutsson, Lead Solutions Consultant, Micro Focus
Mats Knutsson, Lead Solutions Consultant, Micro Focus

With POPIA finally having commenced, and compliance enforced as of July 2021, data privacy is more relevant than ever before.

Mats Knutsson, Lead Solutions Consultant at Micro Focus, says GDPR, which has been in force for a couple of years by now, has paved the way for POPIA, and learnings from its implementation can certainly be applied to the local legislation.

GDPR was launched in 2016 and became effective in 2018, and has had a massive impact on other countries’ privacy acts. The overall aim is to move ownership of personal data from the organisation that holds and stores it to the subject that the information concerns. Thus personal information remains the individual’s data, the organisation just manages and administers it. The owner has a number of rights regarding their data, and the organisation that has it must keep it safe. There are four key obligations that organisations have under the data privacy laws in order to be compliant.

  1. The data must be stored securely and access to it needs to be minimised. While it’s essential to make data accessible, this must be done in a secure fashion.
  2. The business must be able to remove personal data that isn’t required by its processes. Most businesses have legacy data. This needs to be cleaned up and either stored or disposed of appropriately.
  3. Under GDPR or POPIA, an individual can request to see all of the personal data that an organisation has about them. This has to be provided within a certain timeline.
  4. The organisation must report data breaches or loss of personal data to the relevant officials as well as to the individual.

However, businesses face a number of challenges that may inhibit their ability to meet these obligations, says Knutsson. One such challenge is the large volumes of data typically held by most businesses, regardless of their size. Add to that the complexity of different types of data coming from different sources, not to mention different types of data retention rules that have accumulated within the organisation over time. Then there are budget constraints, particularly post-COVID-19, as a result of reduced revenue during lockdown. Businesses need to find a way of approaching compliance that isn’t limited or deflected by these blockades.

A three-pronged approach is required: it’s key to have focused and efficient software that can integrate to form an overall solution that can address the four key obligations outlined above. Then solid processes are required to be able to leverage that technology properly. Finally, data segmentation is essential, as when you have massive amounts of data, you need an intelligent way to divide it into various categories with different characteristics, which will drastically reduce the cost of processing the data.

Two years down the line, what learnings can be derived from GDPR that can benefit local businesses faced with POPIA compliance? Knutsson says he sees three key takeaways. Firstly, regulators are starting to issue fines for non-compliance, with different countries taking different approaches to enforcement. Secondly, public perception really matters and failure to control and manage customer data safely can result in brand damage. Lastly, compliance is really all about information governance, and legislation such as GDPR and POPIA provide organisations with an opportunity to look at their overall information governance as part of addressing their requirements.

Companies feeling panicked by the large quantities of data they have dispersed across many different systems and facing shrinking budgets shouldn’t panic and do nothing, he advises. Instead, they should use POPIA as an opportunity to improve their overall data governance, using an incremental approach and spreading out the cost over a period of time. They can also leverage cost savings by finding data they no longer require, reduce their storage and find applications they no longer need and retire them.

He concludes: “Organisations that are trying to be compliant, and that have a plan and processes in place, will be in a better position with the regulator than those that do nothing. Over and above this, customers are holding businesses to a high standard when it comes to managing their data – and might take their business elsewhere if they perceive that an organisation isn’t handling their data securely or responsibly.”

See also