Data privacy can mean jail time for CEOs
While POPIA is imminent, the extent of its efficacy is still unclear.
Will the Protection of Personal Information Act (POPIA) bring better forms of compliance? Will the regulator actually have teeth and drive companies towards resolving their data compliance issues? These are all questions that will only be answered when the Act comes into law.
The legislation is expected to kick in during Q12020 although there’s no real clarity around that. It’s definitely imminent in the next quarter, says Gary de Menezes, Managing Director of Micro Focus South Africa. “Once it comes into force, it will bring a whole new level of responsibility for CEOs of companies. The concerning thing is that they might not necessarily understand their responsibilities and exposure under the new POPIA legislation.”
Gareth de Laporte, Channel and Alliances Executive at Micro Focus, says: “We’ve assisted many South African businesses of all sizes with their privacy journeys and noticed that many of them don’t even have record management in place. This leaves them with a lot to do once POPIA comes into force.”
He continues: “It’s important to know what companies’ responsibilities are under the legislation, but the ultimate responsibility is to have a firm understanding of where all personal information resides across the enterprise, regardless of the type of information.”
Personal information can range from an individual’s personal data around date of birth, religion, marital status, etc, all contact information, biometric data, video footage, voice recordings from call centres, personal views and even extends to the opinions of a third party about the individual. There’s a vast misconception that it’s just your identity number, contact details and credit card information that need to be protected, but it goes far beyond that. For example, a business or residential estate that has a camera that picks up your car’s number plate and your face is capturing your personal information. In South Africa, personal information also extends to the information of corporations and not just individuals. From a compliance and litigation perspective this increases risk to CEOs even further.
Dean Goddard, Account Executive - Security, Risk and Governance at Micro Focus, adds: “It’s basically any information that’s associated with a specific individual or juristic entity as opposed to groups or demographics.”
POPIA contemplates that there are eight personal information processing conditions that responsible parties must adhere to:
- You must be accountable;
- Processing of information must be lawful and reasonable;
- The information must be collected for a specific and lawful purpose;
- Any further processing of information must be compatible with the purpose for which it was collected;
- Reasonable and practical steps must be taken to ensure that information is complete, accurate, not misleading and updated where necessary;
- There must be openness;
- The integrity and confidentiality of the information must be secured; and
- The data subject has a right to, among other things, ask for, and be given free of charge, details of any information that you have about them.
Once POPIA comes into law, South African businesses have 12 months to get their compliancy up and running, which doesn’t leave a lot of time. Data privacy law experts from ENSafrica, together with Micro Focus, are of the firm view that companies need to commence their POPIA compliance journey immediately as experience has shown that 12 months is an insufficient time to achieve compliance. As part of compliance, businesses need a comprehensive strategy that includes legal expertise coupled with sound technological solutions.
De Menezes explains: “If the legislation is implemented within the next quarter, government will give companies a year’s grace period in which to become compliant or to show they’ve started their POPIA journey. That’s the obligation of every CEO of every company in South Africa.”
Even though South African companies have been warned for the past five to six years that they need to get their data privacy houses in order, many of them have just not done so. However, crunch time has arrived and having expert data privacy lawyers partnering with technology businesses in developing practices will help customers develop a roadmap to compliance that is multi-faceted and comprehensive, says De Menezes. “This requires understanding the gaps between POPIA and GDPR, understanding the exposure of South African companies and assisting them to implement the required policies and business processes and technology to become compliant according to legislation.”
Many local business aren’t even aware that if they have EU customers, then they’re also impacted by GDPR, it’s not just POPIA that they have to worry about.
De Laporte says the information regulator will have to carry significant weight if POPIA is going to take hold in South African businesses. “The regulator will need to react immediately once the Act comes into force. Failure to comply can attract a fine of up to R10 million and even a jail sentence of up to 10 years. When GDPR was first enacted, business sat back and waited for the first big fine to be issued. Once that had happened, they took the legislation seriously, South Africa is going to follow the same route,” he predicts. “Once the first fine is passed, we’ll see a spate of fines thereafter.”
Data leakage has far-reaching consequences, personal information can be used for organised crime, identity theft, and a host of other criminal activities, which is why the penalties are so severe. South Africans may not appreciate the full ramifications of data leakage, says De Laporte, which is why they might be slower to adopt POPIA’s requirements.
Generally, data privacy laws are regarded as a direct marketing inhibitor, but the implications go far beyond that. De Menezes says: “Organised crime has entered the digital era and this has resulted in a whole lot of potential exposure for individuals, including people in affluent positions where digital crime can be used to infiltrate the organisation in the interests of extortion. Privacy rules need to be put in place to ensure that the CEO of each business takes ownership of ensuring that the data is protected to prevent this new spate of digital crime.”
The challenge that organisations are going to face going into 2020 is that the CEO is going to deflect responsibility for data privacy to the CIO, adding to his existing responsibilities. “This isn’t necessarily the best way to deal with it,” says De Menezes, “as the CEO will be held accountable should a breach occur. Rendering the business compliant isn’t the CIO’s responsibility, it’s also the responsibility of the company’s legal and compliance office, the risk officer and perhaps even the CFO. It’s not just a technology issue, it’s a legal requirement. The technology just enables implementation of the legal processes that need to change within the organisation to be compliant.”
Legal and technology need to work hand in hand to attain POPIA compliance. The first challenge faced by business is that most companies aren’t geared up for that kind of collaboration. Secondly, they won’t have budgeted for such a project, which requires a significant investment in something that isn’t going to drive business value or revenue.
The third challenge is that most businesses won’t have set time aside for this, making it the equivalent of a grudge purchase as the company is going to be funding human resources that need to be allocated to the compliance project.Budgetary concerns should however be balanced with the realisation that data is an asset to be exploited commercially and a sound compliance program would enable businesses to offset investment in compliance against the potential gains from monetising or otherwise benefiting from data usage.
“All of these are significant challenges in the current economic climate. As inconvenient as POPIA compliance may be, CEOs need to realise there’s significant jail time attached to non-compliance, and allocate the necessary resources,” De Laporte concludes.However, in addition to the risk of jail time there is also significant reputational and financial risk in not achieving compliance, and a well-defined compliance program will actually help businesses derive value from their data assets in addition to making the business compliant.
Find out more about data privacy on a global scale by downloading this white paper.