Call us directly: 0861 111 501

Licence: CMS BR5404 & FSP 19742

Authorised Financial Service Provider

CMAC Licence: FSP 17112  CMS: ORG 35

James Easton - Licence: CMS BR 39065

POPI’s knocking, you better answer


March 29, 2017 Comments Off

With only a few months to go before the office of the Information Regulator is operational and the Protection of Personal Information Act (POPI) becomes fully enacted.

Organisations must be aware of the limited time left to comply with the comprehensive requirements of the new legal dispensation, stressed Michiel Jonker, director of IT Advisory at Grant Thornton, during an interactive POPI workshop held at the firm’s Johannesburg offices yesterday.

Newly established Information Regulator Adv Pansy Tlakula announced in March that her office should be fully operational around December 2017 and from that time institutions would have a 12 month grace period in which to become fully compliant. The Regulator will be responsible for monitoring and enforcing compliance and handling complaints related to breaches of data privacy.

The POPI Act, which was signed into law by President Zuma in 2013, regulates how anyone who processes personal information – such as ID numbers, telephone numbers, and addresses among others – must handle, keep and secure that information. It carries strict and substantial penalties for contravention, including prison terms and fines of up to R10-million.

“It carries strict and substantial penalties for contravention, including prison terms and fines of up to R10-million.”

“Companies and government departments especially should not underestimate how much time they will need to review and then implement appropriate systems,” cautions Jonker. “The Act will affect anyone who deals with private information – from video footage recorded in public areas to signing the visitors’ book at an art gallery, the Act requires that all such information be adequately protected.”

Make hay, a lot of it…

POPI compliance is a time-consuming process that starts with a comprehensive gap assessment across the entire physical and digital information storage infrastructure – from the call centre agent to the executive personal assistant. Once the gaps have been identified a privacy strategy can be put in place to ensure that the organisation complies with the legislation.

The compliance strategy needs to include a combination of activities like reviewing business processes, assessing the technologies needed to safeguard the information and creating awareness across the organisation so that employees know how to treat data.

“Much of POPI really filters down to individuals and their actions. Employees need to be fully aware of what data they are collecting, they need to define exactly why they’ve collected said data, who is processing the information and for what reason,” says Jonker. “For example, in some instances staff are collecting data and then passing it on to a third party for processing. They need to know how that data will be protected and when no longer needed, how it will be destroyed.”

Jonker points out that under the POPI legislation, individuals, organisations and government departments would be held accountable and they also risk legal action for not adequately protecting personal information.

“If the POPI Regulator were operational already today, an organisation suffering a data breach due to theft or cyber hack, for example, would have had a case to answer should it be found that they did not take adequate steps to protect the data, or if their security systems were inadequate in protecting such highly confidential information” says Jonker. “The sooner institutions start with the process in order to properly comply with this legislation, the better.”