The Protection of Personal Information Bill will have massive consequences for the country when it becomes law. Do companies understand the implications and are they prepared for this new law?
Francis Cronjé is an information governance specialist with a strong legal background and years of practical experience, advising large entities on the powerful impact of POPI. I spoke to him at a recent Nashua conference.
Q What exactly is POPI?
FC POPI is an acronym that is utilised for the Protection of Personal Information Act. It is the equivalent to what they have in Europe, referred to as the European Union Data Protection Directive, or what the have in the UK, and is better known as the Data Protection Act.
Q Why should companies and South Africans care about POPI?
FC First and foremost there is a moral responsibility companies and individuals to take responsibility for the personal information about other people that they collect and subsequently process. There are several examples out there of people who have been the subject of identity theft. Their lives have been turned upside down. There have been many instances of people who have been blacklisted, or suddenly find themselves married to someone else, or even with massive loans that they were not aware of. The first step of fraud starts by stealing someone’s personal information.
Q How did we get to this point with regulating our personal information?
FC It has been a long process that started off with our constitution. In terms of this, everyone has the right to privacy, and that means not having your communication infringed. For instance, we saw the promulgation of the regulation of the Interception of Communication Act. What it also means in terms of that right to privacy, is that people can’t just utilise your personal information in any way they want.
In 2002 the South African Law Reform Commission was instructed to start working on a green paper, which subsequently became a white paper, then a bill, which has been enacted. We are still waiting commencement. When that happens, organisations and individuals will have 12 months to comply with this piece of legislation.
It is not seen from just a privacy perspective. One must also look at it from a consumer protection perspective. If you look at section 10 of the Consumer Protection Act, for example, it speaks of unsolicited marketing, and in terms POPI this forms a large part of the new legislation.
This also relates to your personal electronic information. So from a technological perspective your information doesn’t just reside online but offline. You become vulnerable once you start shopping online, or submitting information, or even emailing your ID book to a travel agent or a bank for motor finance. All of those actions become quite critical, especially when you consider how massive ID theft has become worldwide. South Africa is right up there with countries most vulnerable to cyber crime. It puts us in a position where not only our citizens, but also foreigners visiting, are vulnerable. They are all having their personal information processed, and that needs to be regulated to keep everyone safe.
If you look at the World Economic Forum recently, it was made clear that we shouldn’t care so much how we go about collection personal information, but rather more about the custodianship of that we have over that information. I still believe that it is very important to make sure that you only process information if you have a right to it. This doesn’t apply to just private companies but also to public and governmental organisations. So your information needs to be protected right across the board by everyone.
Q How do companies and organisation become POPI compliant? What are the steps that need to be taken?
FC It depends on how one wants to approach it. Ultimately the head of a company is responsible. This person will have ultimate accountability to fulfil the role of information officer as defined in this piece of legislation. If a company wants to start right upfront, many follow the route of a project.
I personally believe that you have to operationalise it as soon as possible, by setting up a privacy governance framework within the organisation that can take the form of a physical or virtual privacy office. Rather drive the project from within the office. In other words, you have the accountability assigned from right upfront and then you drive it. There are so many different ways to approach the POPI Act. You can even start by doing a GAP analysis, or even by enforcing some quick wins and taking care of those aspects within the organisation where information is highest at risk. It is important to categorise, but there is no specific way on how to start.
Q One needs to get started. The danger is if you don’t, you could be opening up your organisation to litigation if there is a privacy breach.
FC Over and above the normal litigation, if you don’t comply and take this act seriously, you will be open to civil remedy and regulatory fines, and you will be open to penal fines and sanctions. We are not trying to scare people from a compliance perspective. We are saying that you need to sort out your corporate governance first and foremost, by taking care of your information governance.