According to Rian Hancock, Director at Eclipse New Law, data is one of the greatest challenges that compliance professionals come face-to-face with. The growth of technology, analytics and artificial intelligence (AI) is fast developing with an exponential trajectory, making it difficult to stay ahead of. While improvements in this area lead our businesses to being more innovative and efficient, the ever-evolving industry also carries with it a degree of burden, arguably equal to its benefits. We can see instances of this in the Protection of Personal Information Act (the POPI Act, or POPIA) and in the General Data Protection Regulation (GDPR).
Increasing risk surrounding data security has created a global push toward ensuring personal data and privacy protection. The POPI Act, expected to commence later this year, will be in place to help businesses in South Africa (and those domiciled elsewhere, but whom carry out operations within SA) solve these manifesting issues and implement more effective procedures to process data. Companies that fail to apply stringent measures against possible data breaches could face reputational damage and subsequent financial implications if such a breach occurs. The consequences of this can be further exacerbated if the breach is due to non-compliance.
Industry experts are encouraged to stay well informed on how their data is protected and the legislative developments of this over time. Data privacy, simply put, is both about the proper handling of data and about the public expectation of privacy. This puts pressure on organisations to process personal data while simultaneously protecting the individual’s privacy preferences. It focuses on the entity’s methods of collection, processing, storage, sharing, archiving and the disposal of data, and whether this is done in accordance with legislation.
As technology evolves, so too will data privacy solutions. The rate at which data is being exchanged is reaching rapid ascension, increasing the intensity of oversight and enforcement actions on data protection. This leads to the development of new rules and regulations to combat and prevent privacy issues. The complexity of this requires a multitude of expert skills and external support, making compliance in this area a significant task for organisations. Data is an asset to any business – a strong data management framework accompanied by constant monitoring and improvement is essential to ensure that it does not become a liability.
Preparing for the POPI Act
Leon Soko, a GRC Advisor at CURA highlights the importance of preparing adequately for the official commencement of the POPI Act. Soko outlines the principles and practical steps to be taken to achieve this. The POPI Act defines the following 8 principles of processing personal information:
- Accountability: the responsible party must ensure that the eight information processing principles are complied with.
- Processing limitation: processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed.
- Purpose specification: Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
- Further processing limitation: this is where personal information is received from a third party and passed on to the responsible party for further processing. In these circumstances, the further processing must be compatible with the purpose for which it was initially collected.
- Information quality: the responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary
- Openness: Personal information may only be processed by a responsible party that has notified the Information Protection Regulator. Further to this, certain prescribed information must be provided to the data-subject by the responsible party.
- Security safeguards: the responsible party must secure the integrity of personal information in its possession or under its control by taking prescribed measures to prevent loss of, damage to or unauthorized destruction of personal information and unlawful access to or processing of personal information
- Data subject participation: A data subject has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data-subject and request from a responsible party the record or a description of the personal information held.
Source: Protection of Persona Information Act 4 of 2013
Practical Steps to Implement the POPI Act
In order for organizations to be compliant with the principles of the POPIA Act, the following activities are recommended:
1. APPOINT A CHIEF INFORMATION OFFICER (CIO)
The CIO is the most senior Information and Technology officer in the organization. They are responsible for the management, implementation and usability of information and technology in the organization which is a requirement of the first principle of processing personal information in the POPIA Act.
2. IDENTIFY THE PERSONAL INFORMATION CURRENTLY BEING STORED BY THE ORGANIZATION
The fifth principle of processing personal information in the POPIA Act requires organizations to Identify the information in their possession and ensure that the personal information that has been collected is complete, accurate, not misleading and up to date.
3. NOTIFY THE REGULATOR THAT THE ORGANIZATION WILL BE COLLECTING AND PROCESSING PERSONAL INFORMATION
The sixth principle of processing personal information in the POPI Act requires organizations to notify the regulator if they will be processing personal information.
4. ENSURE THAT CUSTOMERS ARE AWARE OF THE FOLLOWING:
- That their personal information is being collected
- The reason their personal information is being collected
The 3rd and 6th Principles of processing personal information in the POPI Act require organizations to disclose to individuals if they will be collecting their personal information, and for what purpose this information is being collected. This can be achieved by including this in a terms and conditions page that individuals must agree to before they engage in any business activity with the organization.
5. APPOINT AN IT SECURITY SPECIALIST
The seventh (7th) principle of processing personal information in the POPIA Act requires an organization ensure that the integrity of the personal information in its control is secured through technical and organizational measures. The IT security specialist will be responsible for designing, testing, implementing and monitoring security measures for your company’s systems.