POPI pressure mounts as deadline looms closer
Once the Protection of Personal Information Act, 2013 (POPI Act) is made effective, companies will have a year's grace period to become compliant with the Act. In the meantime, agreements between corporate clients and their suppliers are already being updated to require compliance with data processing provisions contained in the POPI Act.
Pierre Aurel, Strategic Project Manager at e4, says that 2018's first quarter will be rife with companies undoubtedly scrambling to get their compliance houses in order and focus their efforts on securely managing, storing and processing data."
The purpose of the POPI Act, according to Aurel, is to ensure that all institutions conduct themselves in a responsible manner when processing, collecting and sharing private information, whether an individual or an entity: "The crux is that the Act will hold institutions accountable if personal information is compromised or abused. Which is why it is critical for companies to address the issues with a sense of urgency."
For companies that store or process data within the EU, additional legislation awaits them in 2018. The General Data Protection Regulation (GDPR) becomes enforceable on 25 May 2018 and carries far more severe penalties for non-compliance. GDPR is a significant change in privacy law and Companies making use of third-party services or cloud hosting in the EU need to assess their data footprint within the EU. Compliance with GDPR does not automatically guarantee POPI compliance and vice versa.
Aurel predicts that the appointment of a Chief Information Security Officer (CISO) will be a priority at the start of 2018 and this role will be tasked with POPI compliance. The Act makes it compulsory for every company to appoint an Information Officer that must register with the Regulator. Until another individual is appointed as the Information Officer, the CEO will carry the responsibility. Most CEO's will be eager to delegate this responsibility to reduce the administrative and compliance burden.
The key duties and responsibilities of Information Officer include working with the regulator, handling queries and oversight of the lawful management of personal information.
Aurel says that the appointment of a CISO could also mitigate risks in a world that is rapidly becoming more fraught with cyber-security issues: "The bigger challenge here is that the skill set for a CISO will be in great demand. There are not enough candidates with these unique skills and those that do, will be in greater demand."
Classification of data is another priority according to Aurel. He says that it is important to understand what personally identifiable information is on file and why it is being stored. "The legislation determines that personally identifiable information is valuable and grants consumers the right of protection as well as the ability to control the use and disposal of this information. Thus it is important for companies to understand what information they have on file and why."
Lastly, if a security budget has not been addressed already, 2018 is when this will occur. He says the industry is expected to dedicate more budget to IT, security in particular, with budgets exceeding 2017's by at least ten percent.