“Forewarned is forearmed” (wise old proverb)
The Protection of Personal Information Act (POPI) has been in the public domain for several years and has been enacted into law, but its enforcement provisions are not yet in effect. The appointment of a Regulator and the issuing of draft Regulations for public comment, however, indicate that the Act will probably come into effect in 2018. The recent massive database leak may lead to a bit of fast-tracking here.
POPI will require that all personal information (IDs, health records, religion, employment records, sexual orientation etc) must remain confidential and organisations need to identify where this information is held and take steps to protect it.
Although there will be a twelve month grace period (from the date POPI’s enforcement provisions become effective) entities should not underestimate how much work is required to ensure compliance.
The growing trend of hacking of private information will make this task more onerous and additional costs may need to be incurred to ensure that adequate cybersecurity measures are in place.
Small and medium sized businesses (SMEs) will be under greater pressure as they do not have the resources of the larger corporates.
What will you need to do?
You will have to –
- Appoint an Information Officer (the person or entity responsible for the implementation and operations of POPI).
- As a starting point, identify what personal information you hold and how it is processed, given to third parties, stored and destroyed.
- Design, test and implement systems and procedures to ensure compliance with POPI.
- Have policies in place to report any breaches of personal information.
Per the draft Regulations (comment has been called for so they could well change):
- A manual (which is available to the public) setting out how the organisation complies with POPI must be drawn up. The manual needs to provide assurance that personal information will be adequately protected;
- Measures and systems must be in place to respond to requests for access to personal information; and
- Training sessions must be held for relevant stakeholders to ensure that there is an understanding of POPI and that the company’s systems are compliant.
Penalties for non-compliance are severe – a fine of up to R10m or ten years’ imprisonment.
Don’t forget also the potential cost of being sued by people or organisations whose personal information falls into unauthorised hands or is hacked whilst under your control. Consider for example the possible claims arising from the recent South African database leak compromising the private data of 60 million people. (As a side-note: Check whether any of your email accounts have been compromised here – remember to check all your email addresses, personal as well as business, and seek advice immediately in any doubt.)
It will be critical therefore that you can demonstrate you have shown the necessary preparation and have put in place robust systems to protect personal information.
Start planning for POPI now – it will expose you to huge risk when it kicks in and forewarned really is forearmed!