Companies will only have a year’s grace to comply with the provisions of the Protection of Personal Information Act.
South Africa remains vulnerable to the threat posed by data breaches and has been found to have the highest probability of experiencing it.
The recent hack of credit data firm Experian SA, in which the personal information of as many as 24m South Africans and almost 800 000 businesses was exposed, illustrates our vulnerability.
It is against this background that many South Africans have eagerly awaited the implementation of the remaining provisions of the Protection of Personal Information Act (POPIA), says Nadine Mather, associate director at law firm Bowmans.
The act came into effect on 1 July and businesses have been granted a grace period of 12 months (until 1 July 2021) to ensure they amend their systems, procedures and policies to become fully compliant.
This may sound like sufficient time, but Terence Govender, director at Mazars IT Advisory, says few businesses have a clear road map of how to become compliant within this time frame. “This also means that it is difficult to implement a compliance strategy that is cost-effective.”
A survey done last year showed that 34% of businesses have been ready to comply with the POPIA requirements.
The key sections that came into effect on 1 July include the conditions for the lawful processing of personal information, dealing with special personal information (such as race, health, religion) and direct marketing.
The act will enable SA to participate in the global data economy and ensure trade with countries that have significant data protection legislation in place. Mather says the lack of adequate data protection laws in SA affects trade with jurisdictions that have extensive privacy laws, such as the EU.
Only time will tell how effective our legislation is, but there are concerns that the current wording of the act may allow for different interpretations, notes Mather.
This means that businesses may need significant guidance from the Information Regulator, established to implement the act and to enforce compliance with the provisions of the act. “Absent this guidance, it could give rise to inconsistent application or litigation,” she says.
The collection process
Any business that collects, stores, organises or uses the personal information of a data subject such as an employee, supplier, customer, job applicant, visitor, trainee, or contractor is involved in the processing of personal information.
It is unlikely that there are any businesses which do not engage in the processing of personal information of any data subjects in any manner or form. Most companies in the public and private sector must comply with the provisions of POPIA.
Govender notes that many companies are primarily focused on policies and procedures. In many instances companies’ systems generate documentation that contains requests for personal information.
It will be crucial to revisit these systems to see whether the information required is relevant to the business operations, and whether customers are informed that their information is being stored, he says.
Mather adds that there has been this widely held misconception that companies need an individual’s consent to process (collect, store, use) their information. “This is not so.”
The act describes consent as a “specific voluntary expression of will”. However, there are various grounds where consent is not needed. This includes compliance with an obligation by law, such as Covid- 19 regulations in terms of health screenings.
The act requires that businesses must take “appropriate, reasonable, technical and organisational measures” to prevent loss or unauthorised access to personal information. Unfortunately, the act does not provide further guidance as to what would constitute “appropriate, reasonable, technical and organisational measures”, says Mather.
“We are hoping for further guidance from the Information Regulator in this regard. In the meantime, businesses should comply with global security standards.”
This may include the installation of anti-virus programmes, using encryption software with complex passwords and protected wireless networks to avoid data breaches – if not already in place.
In her 2020-2025 strategic plan, Pansy Tlakula, chair of the Information Regulator, said that the number of data breaches in both the public and private sectors, the unlawful and unauthorised use of personal information of individuals, cybercrime and identity theft are increasing at an “alarming rate” in SA.
Any data breach must in future be disclosed to the regulator and the data subjects that are affected. If any such breach is not disclosed by the business, but it is brought to the attention of the regulator, the business is in breach of the act itself.
Getting it right
The act requires businesses to register an information officer with the regulator to ensure compliance and to deal with requests made by individuals about the processing of data and to assist the regulator with investigations.
It does not have to be a new position or an external appointment. It can be an individual already employed by the company who has sufficient knowledge of the business and its operations.
Govender says that depending on the size of one’s organisation, it is possible to become POPIA compliant on a reasonable budget. “While there are certain aspects of becoming compliant that may be best to do with the help of an outside service provider, it is possible to make all of the necessary changes oneself.”
He explains it will be vital for businesses to conduct some form of readiness assessment within the next three months. This includes identifying what information is collected, the purpose and relevance of doing it, where it is stored, and who has access to it and for what purpose.
Then the hard work needs to be done in which internal processes, document storage, policies and all aspects of the organisation that deals with personal information should be amended where needed.
The final two months of the grace period should be set aside for verification, says Govender. If there are any gaps or errors, two months will likely be just enough time to detect and rectify them before the deadline.