Individuals share their personal information on various platforms daily. The impending threat of information leaks or security hacks on systems that store this private information makes individuals vulnerable to reputational damage and fraud through identity theft.
The Protection of Personal Information (POPI) Act signed into law in 2013 calls for businesses to protect the personal information of clients, employees and suppliers. POPI regulates the processing of personal information of natural persons and juristic persons, says Robby Coehlo, partner at Webber Wentzel. “It has a 360 degree impact: covering customers, employees and suppliers.”
It regulates the life-cycle of information from the time that business are deciding what information to collect and everything that happens after that until the collected information is destroyed, he says. It regulates all activities that can be done with information, not just the collection, use and storage of information.
A commencement date is yet to be announced, but businesses will have at least 12 months to become compliant with POPI from that time. “In our experience, 12 months is not sufficient and businesses should start the process of ensuring compliance as soon as possible” says Coelho. The department of justice will further appoint an Information Regulator (IR) to assess compliance.
POPI requires businesses to be transparent about what they use the information for, says Elizabeth de Stadler a senior associate at Esselaar Attorneys. “POPI provides more visibility with regards to what people [companies] do with your personal information.”
In the case of a security leak or a breach in rights, consumers can lay a complaint with the IR against the business in question. The IR can recover the losses and if it is found the business is not compliant with POPI, a fine up to R10m can be imposed, she says. If there is a breach of security, or an unauthorised disclosure of a person’s data, the business has to inform all subjects affected, says Coelho. “You effectively need to blow the whistle on yourself” says Coelho.
Not many people do it, but they should read privacy policies.
To be compliant, de Stadler advises that businesses firstly track the personal information they possess. After determining what it is used for and monitoring the flow of the information through-out the business, risk areas should be identified and addressed, making it more secure.
Coelho says businesses should do an initial assessment to determine if there are gaps between current practices and policies, and POPI requirements. “The organisation needs to test practices, policies, agreements and the like against POPI and then correct these things if they are deficient. This extends to both organisational and technical policies, systems and practices.”
The business should also ensure there are adequate agreements or consents in place with all data subjects (customers, employees, suppliers). POPI also requires that written agreements be concluded with suppliers that are involved in processing information on behalf of a business, to ensure that the suppliers comply with certain security requirements. It may be more difficult for small business to comply as they have financial and resource constraints.
Consumers can also take steps to protect their information. “They need to stop oversharing information,” says de Stadler. Many people give more information than is required. She advises consumers to be proactive and question why businesses require certain information and for what it will be used. Consumers should only share information with businesses they trust. It is important to not how information is being transferred i.e. over the web, or filling out a physical form. “They need to assume that everything is capable of being intercepted,” she says.
“Not many people do it, but they should read privacy policies,” says Coelho. People should realize information has value and empower themselves by taking care in deciding what they agree to, he says.
POPI will also further impact laws regarding direct marketing. Before being sent marketing material, marketers will be required to ask consumers for permission. Further, marketers won’t be able to poach consumer contact details as freely as currently is the case says de Stadler.
De Stadler has written a book with Paul Esselaar called A Guide to the Protection of Personal Information Act which will be available soon. De Stadler says POPI is a good legislation for businesses to comply with as it follows international standards of good practice and is loosely based on European legislation. It is also very beneficial for businesses to have good data governance, she says.
Both de Stadler and Coelho say that the effectiveness of POPI will depend on the enforcement by the Information Regulator.
This article was featured in Finweek magazine.