After almost 10 years of knocking around Parliament, a Bill seeking to protect personal information is finally set to become law, and companies will have only a year to get their houses in order.
The Protection of Personal Information (POPI) Bill, first mooted back in 2005, is SA's first consolidated piece of legislation detailing how companies must deal with people's - and entities' - information. After finally being passed by the National Assembly in August, it now just has to be translated into Afrikaans and signed off by president Jacob Zuma.
Based on the European data protection directive, it will make sure that personal information is processed in a way that accords with internationally accepted data protection principles. There are strict penalties, not least of which is the damage a company's reputation can suffer if there's an information breach.
Cyber crime
Daniella Kafouris, senior manager of Deloitte Legal at Deloitte & Touche, says the law enforces the constitutional right to privacy of personal information and brings SA in line with international data protection laws. "It will essentially legislate the right to privacy that is already entrenched in our Constitution," she adds. "SA has never had an all-round piece of legislation that regulates the entire life cycle of information. With the global trend of data protection legislation being promulgated in many jurisdictions, this will become the world's 101st privacy law and the 20th privacy law enacted this decade."
Says Elizabeth de Stadler, a senior associate with Esselaar Attorneys: "It's high time companies are held accountable for the way in which they treat sensitive personal information."
John Giles, from Michalsons Attorneys, notes that the law aims to protect people's personal information so they don't become victims of things like identity theft.
The POPI Act will regulate every step of data processing relating to personal information, from collection to destruction. This will affect every company out there, he adds. "Every organisation processes personal information. It's everywhere, in all records, mixed up with other information."
Giles expects the law to take effect in February, giving companies about 18 months to fall in line. "There's no need to panic, but responsible parties need to take action now."
Kafouris says the definition of personal information is limited to information about an identifiable, living natural person or juristic person. "Basically, if information can identify someone, it's deemed personal."
It's high time companies are held accountable for the way in which they treat sensitive personal information.
Elizabeth de Stadler, Esselaar Attorneys
An 'insurmountable' amount of information, digital and hard-copy, has been accumulated over the years, she notes. "Almost 90% of it contains some form of personal information. The increase in global cyber crime and identity fraud has placed a high value on data in general."
Adds Giles: "We live in the era of big data, where banks, financial service providers, credit bureaus, insurance companies, marketers, healthcare providers, telecommunication companies and retailers process huge amounts of personal information."
Some information, if disclosed, can be a source of embarrassment. This includes information about criminal records, mental health, HIV status, financial status and history.
"Privacy is a personal right," says De Stadler, "which is why people take it personally when it's breached. People will lose trust in a supplier that does not treat their information with care."
When it comes to the complexity of complying, the question is not so much how big an organisation is, but rather how much personal information it has, says Giles. "Large local companies that process a lot of personal information, and that haven't had to comply with data protection laws before, have the most work to do."
Multinationals like Google, Facebook, Microsoft and Apple have been complying with data privacy laws in many jurisdictions for decades, so will have less work to do.
Protecting information
It's believed the new law will stop organisations from supplying information such as names, addresses, ID numbers, employment history, health data and the like to third parties without the affected person's consent.
Individuals will be able to request what information an organisation has on them, update it or request for it to be deleted, among other things. Companies also have to get consent from consumers to collect, retain and share their personal information. Once the Bill is given the go-ahead, marketers will have to obtain permission from an individual before they can obtain and retain personal information and communicate with them, Kafouris says.
SA has never had an all-round piece of legislation that regulates the entire life cycle of information.
Daniella Kafouris, Deloitte & Touche
Organisations will have to implement new policies, procedures and controls, she adds. "The change management aspect of implementing POPI is quite extensive due to required behavioural changes.
"The purpose for which organisations collect personal information, why they keep it, and how they protect it is very broad, and organisations don't have an indication of the extent to which they must comply with the law."
Kafouris says pain points include a lack of skills and expertise, the number of business processes that must be overhauled, the lack of a single view of personal information and data, as well as project fatigue.
The challenge is to take practical, effective action to protect personal information at the lowest cost, and to get business value out of those efforts, says Giles. He says compliance is achievable, although POPI is not a tick-box law.
Companies can also get value out of the law, as they can improve their image, develop their business, customise their products and services, enhance strategic decisions, enhance customer loyalty, and save time and money, he adds.
Kafouris believes it will lead to better data management, a better understanding of what data an organisation has and where it is.
Giles adds that POPI will enable personal information to be transferred to SA, which will bring economic benefits for the country. Kafouris notes alignment with international practices will lead to the free flow of data with the countries that also have data protection legislation such as the EU, Australia and Canada. When data privacy legislation is created, the country aligns itself with data protection practices across the globe, which will not only facilitate international trade for SA but will assist in cross-border enforcement of data protection principles.
POPI does not aim to stop the free flow of information, recognising that there needs to be a balance, says Giles.
"Compliance is a positive step," says De Stadler. "Enforcement might be a problem, as always, but most businesses will see it as a positive," she says.
First published in the October 2013 issue of ITWeb Brainstorm magazine.
Share