SA is fast catching up with developed nations worldwide in terms of the way personal information is handled and privacy protected, with the imminent implementation of the Protection of Personal Information (PoPI) Act. While the new law may appear intimidating for large and small companies alike, PoPI is likely to make SA more attractive to businesses that wish to transfer personal information across countries. ‘The PoPI legislation was drafted with the EU Data Protection Directive requirements in mind and, in particular, with an eye on meeting the “adequacy status” under this directive,’ says Preeta Bhagattjee, national practice head at Cliffe Dekker Hofmeyr. ‘This has since been replaced with the General Data Protection Regulation [GDPR], and PoPI will probably be brought in line with the requirements of the GDPR in time.’

Since the signing of PoPI into law in 2013, it was only last year that government appointed an Information Regulator, headed by former IEC chairperson Pansy Tlakula – a step that has resulted in an all-systems-go phase for both the regulator and businesses gearing up to meet the compliance stipulations. In terms of the act, the regulator will monitor and can enforce compliance by organisations. A breach of the law could result in fines of up to R10 million or 10 years imprisonment. Speaking to ITWeb, Tlakula said: ‘We are trying to be ambitious and put a one-year deadline for ourselves. If we succeed – bearing in mind we are operating within government bureaucracy, which tends to move very slowly at times – we will be fully established by the end of the year.’

The PoPI Act covers ‘processing’, including the collection of personal information on a ‘data subject’ (person or entity to whom the information relates) by a ‘responsible party’, according to Darryl Bernstein, partner at Baker McKenzie. ‘These definitions are extremely wide, such that almost any activity performed by a company in relation to the information of its employees and potential or actual customers falls within the ambit of the act,’ he says. ‘Quite simply, the challenge to be overcome by companies is to understand what these conditions entail – specifically in relation to their own business activities as regards the collection, post-collection processing, retention and destruction of personal information.’

The key first step to be taken by any company seeking to be compliant, he says, is to conduct an audit to determine exactly what information it collects and why it needs to collect it, if at all.

‘Only then can steps be taken as to what aspects of the act are relevant for compliance purposes, and which steps need to be taken so as to ensure all the conditions for lawful processing can be met.

‘Very often companies collect – and so process – vast amounts of information that they don’t need or have no intention of using. Simply carving out these unnecessary processing activities will mitigate dramatically against the impact of the act.’

The next step, he says, is to then define the organisation’s stance on privacy and personal information, which may take the form of capturing this information in a privacy policy, strategy and supporting procedures.

‘It’s also vital to appreciate that the act gives data subjects – including all individuals and companies whose information is processed – rights in relation to that information. This creates an additional burden for companies that will need to ensure that they have mechanisms in place, not only to ensure compliance with the act and lawful processing but also to allow them to communicate and interact with the data subjects whose information they require.’

Finally, the PoPI Act also mandates disclosure to the Information Regulator when data breaches occur that result in a loss of personal information, says Bernstein. This requires mechanisms to identify breaches of information and ensure adequate responses to them.

According to Bhagattjee, all businesses will be impacted by PoPI to an extent, as even the smallest of companies process personal information, and all divisions that deal with personal information will be affected. ‘This would usually include HR and sales and marketing. Finance would process personal information of employees, customers and suppliers and the like. IT would have access to personal information as a support function and therefore would also be required to comply.

‘To start with, companies will be required to assess what information that falls within the definition of “personal information” under PoPI is being processed within their business operations; from whom is such information being collected; and for what purpose this information is being collected. Based on the answers to these, companies may require minimal to large-scale changes to be adopted in its business in order to be compliant with the requirements of the PoPI legislation.’

Bhagattjee says personal information is broadly defined in the act and includes demographic information as well as details that can be used to identify a person, for example an email address or biometric information. Opinions of or about a person, private correspondence and a person’s employment, medical and financial history are also included. The term ‘process’ is also broadly defined to include the collection, receipt, recording, storage, modification and use as well as distribution and destruction of personal information. Therefore, the act applies by virtue of the fact that you have information in your possession, even if you are not using it in any way.

‘At the very least, most businesses would be required to implement a privacy policy and then take the necessary steps to implement the principles of such policy into their business practices. Some businesses may be required to adapt their business processes and change the manner in which they carry out some of their business interactions so that they are PoPI compliant,’ says Bhagattjee.

‘This may include adapting the manner in which they sign on clients or customers by obtaining the necessary consent required in terms of PoPI in order to process personal information of their clients and customers, preferably prior to such clients or customers disclosing their personal information. Businesses would also be required to obtain the requisite consent from existing customers. A business must only process personal information for a clear purpose, which data subjects need to be made aware of.’

She adds that IT security is important in light of the recently published Cybercrimes and Cybersecurity Bill, and PoPI requires businesses that experience a security breach to notify both the Information Regulator and affected data subjects. However, as Grant Thornton IT advisory director Michiel Jonker points out, often company board members think ‘IT security’ equals ‘100% security’, which is a ‘total fallacy unless you unplug all computers’.

PoPI will force board members to take IT security more seriously, he says. ‘Many boards believe that a security breach, even if detected and reported in a timely manner, is a sign of incompetency. Board and audit committees must understand that a security breach detected in time, escalated and corrected, should be acknowledged as part of the bigger picture of enforcing IT security. It’s when no corrective measures are taken that boards need to step in.’

Experts agree that a huge impact of the PoPI Act will be in the area of security safeguards.

‘The PoPI legislation requires all-round security as part of its compliance conditions,’ says Wayne Clarke, MD of Metrofile.

‘This means that companies will need to put procedures in place that dictate how personal information will be protected from unauthorised or unlawful access, and unnecessary deletion or mutilation. Moreover, it is important that employees are trained so as to understand the responsibility and need for conforming to the regulations regarding clients’, employees’ and company personal information.’

Melanie Hart, partner at Fasken Martineau says a company will need to ensure the confidentiality of personal information in its possession or under its control. 

‘In order to do so, a company must identify all reasonably foreseeable security risks, take appropriate technical and organisational measures to prevent loss or, damage to, unauthorised destruction of and unlawful processing of personal information,’ she says.

‘A company must also regularly verify that the safeguards are adequate and effectively implemented. The security measures must be continually reviewed and updated in response to new risks or deficiencies in previously implemented safeguards. This will be particularly onerous for companies, especially those processing special personal information that requires added protection.

‘Implementation and upkeep of security safeguards will become part of a company’s day-to-day operations and it is likely that experts will be engaged to assess and certify compliance.’

Bernstein says the security measures ‘will have a huge impact on our mobile working culture: mobile devices, laptops, smartphones and tablets all contain information that needs to be adequately secured every time these devices leave the building’.

He says mobile devices constitute a massive data breach risk, and compliance requires not just an IT infrastructure upgrade – password protection, external drive permissions and so on – but also ‘policies that impact how and when people are able to access areas of the workplace, the tools they use and the information available to them’.

This will require a specific and targeted mobility strategy, mobile device policy and personal information governance policy for all staff members, he says.

By Louise Brougham-Cook
Image: Muti