In July, a European privacy watchdog slapped global tech giant Amazon with a colossal $887 million fine for alleged data-law breaches concerning the EU’s General Data Protection Regulation (GDPR) laws. The previous October, Swedish-based fashion retailer H&M had been fined €35.3 million for allegedly recording and storing several gigabytes of recorded one-on-one conversations with its employees, including information on their families, illnesses and religions. Several big corporates have run afoul of privacy laws. Google (€50 million in 2019), Italian telecoms operator TIM (€27.8 million in 2020), British Airways ($26 million in 2018), hotel chain Marriott (€20.4 million in 2018)… The list goes on, with many of the fines running into several millions.

So when SA’s Protection of Personal Information Act (POPIA) came into effect on 1 July – granting the new Information Regulator the power to impose penalties of up to R10 million, or prison sentences of up to 10 years, for infringement of personal information laws – local companies sat up and took notice.

As Graham Mead, commercial director at Proceed Group, said at the time, ‘not having a GDPR/POPIA plan, and not managing that plan, means you will create your own ticking time bomb that could destroy your commercial reputation and hit your bottom line’. Or, to put it another way, SA businesses have 10 million very good reasons to get their data-protection processes sorted out, quickly.

Yet two months in, many hadn’t yet – even though POPIA officially commenced on 1 July 2020, with a full year’s grace for compliance. When data-storage company Iron Mountain released a small, yet indicative, cross-industry survey in September 2021, 58% of the 397 respondents cited the complexity of POPIA as their top reason for non-compliance. ‘Companies are struggling because they simply don’t know how to become POPIA compliant,’ says Kevin Akaloo, national sales manager at Iron Mountain South Africa. ‘Organisations need to find standardised and clinical ways of ensuring compliance internally; they need to make it part of the company culture in order to be compliant; and internal stakeholders need to understand the significance of being POPIA compliant.’

Another small survey, published in early 2021 by TPN Credit Bureau, found that only 27.4% of companies were process-ready for POPIA, while 40.3% were ready from a governance perspective. Of the 200 companies TPN surveyed, just 8% scored above 80% for their POPIA readiness.

Johan Scheepers, the country head of Commvault South Africa, is clear on where he believes the responsibility for POPIA compliance lies. ‘While IT plays an important role in data management and therefore in compliance, technology is not a magic wand that organisations can wave to become compliant,’ he says. ‘Technology is an enabler to assist businesses with finding, classifying and managing sensitive information. However, as we have moved more into remote working, with businesses deploying a variety of collaboration tools, data has become increasingly segmented. IT can assist by providing the tools and security to prevent unlawful access to data, but it is the responsibility of the business as a whole to apply the principles of POPIA.

‘If processes and governance, both business issues, are not put into place around the data, technology will fail. In addition, POPIA law will pursue business owners, not the IT department, should a breach of compliance occur.’

Scheepers adds that POPIA presents businesses with ‘a twofold problem’. On the one hand, there’s the information that is given to the organisation; on the other, there’s the issue of how the organisation protects that information. ‘The challenge is that there is no checklist that organisations can apply to ensure compliance,’ he says. ‘POPIA is made up of a number of guiding principles that can be interpreted in different ways, including information security, data subject participation, and importantly, the right to be forgotten. This is why governance is critical. Data governance needs to become an integral part of business.’

Akaloo, meanwhile, points to several obstacles that could prevent organisations from complying with the new regulations. ‘They may lack the proper guidance,’ he says. ‘Perhaps they don’t have the internal channels to assist them to align with POPIA. They may also lack the relevant knowledge required to manage compliance around the protection of the personal information that they hold.’

He suggests two other obstacles that may be unique to the SA market. ‘The first is how businesses manage and store data,’ he says. ‘A lot of South African companies are still storing paper documents. If data is stored on paper and kept in various places, it’s difficult to manage it and be compliant. The second aspect is the South African culture, where companies are used to storing data in traditional ways. There’s an aversion to technology owing to dependency on legacy storage and management systems.’

Stuart Oberholzer, information security compliance manager at online payroll provider PaySpace, expands on this by warning that while many local businesses have moved to cloud platforms to manage their remote workforces, too few understand what that means in terms of their data. He says that while cloud providers and third parties are obligated to protect any personal data they handle, process or store, when it comes to ensuring the safety of their information, the onus is on the organisation that contracted them.

‘Primarily, cloud providers need to ensure that data is stored within South Africa’s borders,’ says Oberholzer. ‘In fact, should any data be stored outside the country, they should seek legal advice, and also get full consent from the data owners to make sure that any affected customers are aware of this.’

Businesses that store data outside SA, meanwhile, should ensure it is being stored in a territory that has similar or stronger regulation in place than POPIA. ‘But in terms of data responsibility, it ultimately lies with the customer to make sure their data is safe and secure,’ says Oberholzer. ‘They need to understand where their data is being stored and if they haven’t been contacted by their cloud provider yet, they should take the initiative and contact them.’

The customer, in this case, is often a third-party provider, and not necessarily the person whose data is being stored. Very few South Africans know who has access to their personal information. Those telesales cold callers must be getting your name number from somewhere. But where, and how, and for what purpose? You don’t know. And that’s unnerving, icky and – under POPIA – illegal.

That’s why, when commenting on POPIA, Menwil Gordon, support manager at business solutions company SYSPRO Africa, is so quick to highlight a particular line. ‘According to the POPI Act, “a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures”,’ he says. ‘Ultimately, when South African citizens and businesses entrust their data to an organisation, that organisation is responsible for protecting it. It is therefore our responsibility to ensure that all information and data we collect and store is secure and managed correctly.’

One of the key points of the new regulation is transparency for the data subjects, adds Gordon. ‘This means that businesses whose data we have collected are able to find out what we have collected, our intentions, who has access to the data and how long the data lives within our systems,’ he says.

SYSPRO Africa puts the person at the centre of the personal data problem. Iron Mountain’s Akaloo agrees with this approach. ‘Compliance is traditionally seen from a risk perspective, with the business needing to manage data and prevent data breaches,’ he says. ‘However, it can also be approached from a customer-experience angle, in terms of protecting their personal data. Companies can embrace POPIA to guarantee data protection for customers and use that as an asset to drive business opportunities by showing customers that the company takes responsibility, and their data will be safe, thereby creating trust among their customer base.’

Whether an organisation is taking better care of user data out of a desire to care for customers, or simply to comply with POPIA requirements, the end requirement remains the same. And while POPIA is now in force, it is by no means set in stone. Every new technology that emerges, every advance in cloud storage or data management, is another potential risk. Commvault’s Scheepers sums up the challenge. ‘Compliance and governance are not once-off exercises,’ he says. ‘There is no end goal or destination. They are changes in business process and practice that must constantly evolve to meet the changing threat and regulatory landscape.’

By Mark van Dijk
Image: Gallo/Getty Images