How is SA handling data privacy and protection?
SA businesses are experiencing several challenges when it comes to POPIA implementation, particularly adapting to the many new requirements that go hand in hand with the new legislation.
“The number of requirements that comprise POPI compliance are designed to increase the accountability of those who process personal data,” says Siobhain O’Mahoney, analytics, strategy and investments specialist, who will be presenting on ‘What is the current status of data protection/privacy in SA?', at ITWeb Business Intelligence Summit 2021, to be held from 9 to 11 March as a virtual event.
A transparent, trustworthy process
“Businesses need to ensure that the policies for personal data usage, consent, rectification, access, and deletion are written according to the regulations," O’Mahoney says. "Furthermore, co-operation with third parties under POPIA is considered a key risk and must be reassessed and adapted accordingly.”
There is a lot to do to follow the guidelines, and there is a need to adopt certain practices that will ensure the exclusion of any possibility of a violation, she adds.
The first of these is system and process audits and assessments. “The implementation of POPIA requires an audit of systems and processes to understand things such as what data is collected, what are the sources of data gathering, where is the data stored, how is it used and who has access to the data, and for how long.”
Furthermore, an audit is required to understand the manner in which the company processes data to determine which processes are impacted by POPIA.
Another practice that is needed, she says, is employee and team compliance and training. “It is difficult and time-consuming to teach people to follow the guidelines and understand the principles. Teams also need to understand what these mean, how they work how it affects their working process.”
She says POPIA compliance also outlines responsibilities of an information officer, who’s responsibility will be to ensure that the company complies with the conditions of lawful processing of personal information. This is automatically assigned to the head of an organisation, be it the CEO or otherwise.
Expanding user rights
POPIA significantly expands the user’s rights over their personal data, she notes. Businesses must be ready to provide information on several matters, including the purposes of the processing; categories of the gathered data; involved parties to whom the user’s personal data will be disclosed; the approximate time frame over which personal data will be stored and compliance with requests for correction, erasure, or restriction of processing of personal data.
“These obligations are onerous and time consuming,” says O’Mahoney.
There is also the need to understand the objectives and intentions of POPIA.
“The requirements of POPIA are extensive and complex, requiring interpretation of principles and guidance from businesses. A common misconception pertains to the key objective of POPIA - it is not intended to prevent the processing of personal information, but to ensure that it is done fairly and without adversely affecting the rights of data subjects.”
Finally, she says there’s a need for budget planning. “The cost of compliance can be prohibitive, particularly for small businesses. The coming of POPIA means that there may need to be a significant rethink of the budget to provide adequate maintenance of the data privacy and security operations. The additional spending will be aimed at three areas - technology, its subsequent implementation and human resources to do the job.”
During her talk, O’Mahoney will introduce delegates to the requirements and fundamentals of data privacy legislation in SA, as well as help them to understand how this legislation may affect some of their daily activities.
“We will also provide some practical examples of what privacy may mean to delegates personally by examining several recent noteworthy developments in local and internal markets, as concerns data privacy.”
ITWeb Business Intelligence Summit 2021
Register now for ITWeb’s annual BI, data, analytics and AI event. It is an invaluable platform to engage online with senior decision-makers, and hear from local and international experts on how to embrace digital transformation to create a data, analytics and AI driven culture. For more information, and to register, click here.