As with many new laws and regulations, PoPI – the Protection of Personal Information Act, can appear daunting, expensive and complex for businesses to implement. Since its early drafts in 2013, local companies across all sectors have been pushed to re-examine their data protection policies and whether they conform.
In essence, PoPI seeks to ensure that all South African institutions operate responsibly when managing, collecting, processing, storing and sharing personal information. The Act holds said companies accountable if they fail to protect personal data and looks to bring South Africa in line with international trends around data management. If anything these laws will get stricter as time passes and more public examples, like Facebook’s, emerge.
PoPI considers personal information and data “precious goods” and business leaders can face jail time or a fine of up to R10 million if their organisation is in breach of the Act. This applies to any legal entity.
It is almost impossible to meet the requirements of PoPI without the right IT tools and platforms in place. Luckily these tools usually have many other benefits and can streamline operations and boost efficiencies.
Conditions of the Act
PoPI has eight conditions that companies MUST comply with…
All legal entities need to be responsible, accountable and must comply with the conditions of the Act.
You must justify why you are processing and capturing private information. Also, there should be limits in place as to what information you process and how much there is. You must have the consent of the party to whom the information belongs and any processing of this information should be compatible with the original purpose for which it was collected.
The data must be captured for a specific and justifiable reason and the party must be aware of this. A record must not be kept for longer than deemed necessary.
Further processing limitation
Any further use or processing of information collected must be related to the original purpose of the information being collected.
All information collected must be correct, up to date and not misleading. This applies to backups too.
To fulfil the openness condition, the notification must be sent to the party whose information is being captured. The party must be able to view your name and/or company name and address, be informed of the reason why you are collecting this data, what the information is.
This is arguably the most important and actionable condition of the PoPI Act, specifically when it comes to IT and technology. Firstly you need to identify the data which contains personal information and treat it with care. Secondly, all such information must be secured – and you must be able to prove that steps have been taken to do it in the most effective way possible. If there is a security breach, you must inform the regulator and the party whose data is affected.
Data Subject Participation
The party whose information you have has the right to ask for any data that you have about them. They can also request that you permanently delete this information, or update it.
Embracing the Role of IT
Apart from the governance aspect, IT has a critical role to play in PoPI compliance. There are numerous public examples of how data breaches can (and do) occur and results can be catastrophic for a business. This is no longer about having a firewall and decent passwords. Data security now needs to be a company-wide practise which is included in almost all policies and procedures and supported by the right IT solution. The good news is that getting there will not only make you compliant, but it’ll also improve business processes, reduce risk, and help you sleep better at night.