POPI Act is good business practice

Recently, the Information Regulator approached South Africa’s President to issue a commencement date of 1 April 2020 for the remaining provisions of the POPI Act.

The government faces growing pressure to take action with the increase in data leaks. Even President Cyril Ramaphosa himself fell victim this year as his private email server was breached.

If a country’s leader can fall victim to cybercrime, just image how vulnerable an organisation or average citizen may be.

To avoid chaos and ensure compliance, companies should start, if not already, implementing good data management practices and processes is a practical and much-needed requirement today. It is good business sense to know what data you have, why you have it, and what you do with it, allowing for valuable insights and gaining consumer trust in turn.

Costs

It is uncertain whether POPI will come into effect 1 April, especially when one considers that the government is dealing with various challenges, such as South African Airways (SAA) and Eskom. Implementing POPI now could have significant repercussions for the economy, as it is a costly undertaking.

But on the other hand, no company can afford to ignore data protection and privacy in today’s digitally-driven world, especially when one factors in that the average cost of a data breach is $3.9 million, according to IBM.

Get cracking

When POPI does come into effect, businesses will have a one-year phase-in period to align their processes with the Act’s requirements.

Business budgets are typically under constraints, so having to implement entirely new proper data protection processes to align and comply with POPI will take a substantial amount of time, as seen anecdotally when the General Data Protection Regulation (GDPR) came into effect in the European Union, with experts in the sector having to work endlessly to try and get processes sorted.

Larger organisations will have to appoint teams to work on implementing and aligning data processes for at least a year if they have not already begun the journey, so just imagine the impact on smaller companies.

Talk of POPI is by no means a scaremongering tactic; the reality is there is still a lot of work to be done by organisations.

Compliance is key

Businesses should start their road to compliance by identifying what personal information they collect, from who and where it is stored, while continuously reviewing communication tools used and considering data subject rights.

Companies should also implement compliance training for employees and review their contracts and make necessary amendments to include POPI compliance clauses.

Remember, compliance over complacency. Organisations should consider engaging with a professional on the matter and consult with legal experts to ensure they are sufficiently covered for when POPI comes into force.

Security Safeguards

However, as the world generates and consumes more and more data, companies have become prime targets for online perpetrators resulting in damages if robust IT systems are not in place.

Dealing with the importance of suitable safeguards is emphasised through the inclusion of “Security Safeguards”, one of the eight vital conditions prescribed by the POPI Act for the responsible processing of personal information. The requirements are set out in sections 19 through to 22 of the Act.

Section 19 requires the organization to ensure suitable measures are in place to:

  1. Identify all reasonably foreseeable internal and external risks to personal information held by the entity;
  2. Establish and maintain appropriate safeguards against the risks identified above;
  3. Regularly review these measures to ensure that they are implemented effectively; and
  4. Ensure that these safeguards are consistently reviewed and updated where necessary to keep up to date with the ever-evolving risks associated with the storage and processing of personal information.

The onus falls on the organisation responsible for maintaining the integrity and confidentiality of this information by preventing loss, damage, and unauthorized access to such data.

Ensuring systems are safe and data is managed and protected accordingly is one of the biggest undertakings and most expensive since this relies on an organisation’s IT system. Typically, this is where companies’ biggest risks are.

Reputational

The costs of a breach can quickly add up, from having to deploy additional resources to implementing new systems, but one of the biggest losses that takes place when an attacker strikes is the immeasurable damage to a company’s reputation.

Since today’s consumers have more options than ever before, brand trust has emerged as an important competitive differentiator. And when breaches occur, consumers quickly lose confidence in a brand, resulting in a lack of trust.

With governments tightening regulations to improve data privacy processes and today’s empowered consumers, there is no room for error.

From diminished goodwill to severe reputation losses and increased customer turnover, a data breach is detrimental to any organisation.

Don’t get left behind

It is no secret that data breaches are on the rise, yet companies are still not prepared or well-equipped for breaches, despite them becoming a common occurrence. As such, they will continue to expose themselves to potential data breaches, loss of intellectual property (IP), and regulatory scrutiny.

One thing is certain, the clock is ticking. Companies need to start working on aligning their systems and relooking at their data policies now to ease future operations by implementing robust IT systems and processes to protect confidential data, which takes a substantial amount of time and a lot of focus.

Dr. Danie Strachan
Partner | Commercial Attorney