By Allie Philpin
POPI, the acronym for South Africa’s Protection of Personal Information Bill that is set to be signed into law, has left businesses in the country a little unprepared when it comes to their data management. They have been given a year to ‘get their house in order’ but many are finding that adapting to the new legislation is proving rather more technical, and costly, than previously thought!
The aim of the POPI bill is protect the rights of the people of South Africa, as well as align the country’s data protection practices with international best practice standards. POPI has been developed in order to prevent negligent disclosures of personal information, requiring organisations to act responsibly when capturing and storing personal data, and only with your consent. The new bill will also expect organisations to keep their records up-to-date and take steps to ensure that the data they store is secure until it’s destroyed; and there’s even new legislation to comply with when destroying data!
Cibecs, who specialise in data protection solutions, conducted a recent survey which showed that just 26% of respondents are looking at current technology to help them adapt their business processes to make sure that they are ready and able to comply with POPI. Ayanda Dlamini from LGR Telecommunications believes that many South African businesses are struggling to comply with the new legislation. Dlamini said recently: “Usually, companies are given up to a year to comply with new legislation but considering the scope of this particular bill, a year may not be enough.”
Protected data will now range from ID numbers and contact details, right through to biometric data, information on finance and education, medical records and online identifiers. The POPI bill will also affect the internal operations of companies, and many are discovering that their business processes are just not equipped to deal with this level of data protection, often requiring an overhaul. But don’t rely on just technology to ensure compliance as data profiling and meta management tools are not fully capable of taking on that responsibility as yet.
Dlamini added: “Adapting to these new provisions will require careful planning and collaboration from a multi-disciplinary team. Now, data management and processes must move beyond the domain of IT, into the legal and risk departments, and must include top management.”
A regulatory body is due to be established who will issue penalties for non-compliance; add to this the potential of civil suits for non-compliance at some point down the line, it is becoming increasingly important that businesses in South Africa, and those that conduct their business with the country, need to act now to comply with POPI.