The Protection of Personal Information Act (POPI), 2013 came into force 1 July 2020.
Rohan Isaacs and Tatum Govender from the Technology and Privacy team at Herbert Smith Freehills South Africa answers some questions, and Colin Thornton of Dial A Nerd unpacks how SMEs can protect their clients’ data.
What exactly is POPI?
POPI is South Africa’s data privacy law and it stands for the Protection of Personal Information Act, 2013. It is sometimes also referred to as POPIA. It governs when and how organisations collect, use, store, delete and otherwise handle personal information.
What is personal information under POPI?
Generally speaking, personal information is any information that can be used to personally identify a natural or juristic (i.e. organisations) person. This includes name, identity number, age and addresses.
Who does POPI apply to?
POPI applies to all local and foreign businesses and organisations processing (i.e. collecting, using or otherwise handling) personal information in South Africa.
What does this announcement mean for your organisation?
You will have 12 months from 1 July 2020 to become compliant. This means that although there will be no sanctions for non-compliance, you must work towards compliance. For most organisations this is no easy feat, as it requires an analysis of all personal information within your organisation, where you get it from and what you do with it. We recommend that organisations that have not yet started becoming compliant, do so as soon as possible or they could face fines, penalties and other adverse consequences in future. It is also a good time to commence a data privacy awareness programme within your organisation.
What is POPI compliance?
You will need to establish measures that ensure that you only collect, use, store, delete and otherwise handle personal information in permitted ways and that it is appropriately protected from unauthorised access or loss. The measures that each organisation employs will be different but in practice it will mean more policies and procedures for your organisation and you will need to inculcate a culture of data protection in your organisation.
Does POPI provide any benefit to businesses?
POPI provides the opportunity to analyse and have more control over the data handled within your organisation and to better understand its purposes. As data is an increasingly valuable resource, better data management can increase the efficiency and effectiveness of any business.
What does POPI mean for consumers?
Consumers will benefit from POPI’s requirements that their personal information must be protected and that it can only be collected or handled where there is a lawful justification for doing so. POPI gives consumers specific rights in respect of organisations handling their personal information and it gives consumers greater control over their personal information. Consumers are informed about what personal information is collected, by who and why so that consumers are able to make informed decisions.
Who regulates POPI?
POPI is regulated by the Information Regulator.
What are the fines and penalties for non-compliance?
The fines and penalties vary depending on the offence, with a maximum of 10 years in prison or a R10 million fine.
Every person has a constitutional right to privacy, which has many aspects (including privacy in the home, private communications and private information about a person). POPI gives practical effect to that right insofar as it relates to personal information handled by organisations. It provides a direct mechanism through which that aspect of the right can be enforced.
Is POPI different from the GDPR?
POPI is similar to the EU’s data privacy law, called the General Data Protection Regulation, but it differs in some respects. The main difference is that POPI regulates corporate personal information, where appropriate, whereas the GDPR does not.
Your SME is not too small for POPI!
“Critically, every business falls within POPI’s reach – your small business too,” says Colin Thornton of Dial a Nerd. This is essential to note, especially when you consider the wording of the Act and how it refers to directors, people and businesses doing everything that can be considered “reasonable” to protect their clients’ data. Ethically, it is also the responsible thing to do.
The global Cyber Exposure Index ranks South Africa sixth on the list of most-targeted countries for cyberattacks, while PwC’s 2018 Global Economic Crime Survey ranked cybercrime as the second most frequently reported type of fraud (and identified it as the most disruptive and serious economic crime expected to impact organisations in the next two years). Moreover, SMEs are just as vulnerable to hacks and data theft as their larger counterparts – and are in fact even more vulnerable because they have fewer dedicated IT security resources available to them.
“We advise that you don’t spend too much time concerned with the Act itself – rather make sure that you understand everything you can about where your data is; who has access to it; and what your mitigation and recovery plans are to keep your business operational when you are hacked (or have an outbreak of malware),” says Thornton.
Let’s look at an example: a financial manager is technically a one-person business (i.e. a very small company) but he/she is in possession of clients’ personal data, including sensitive financial data. This means that his/her adherence to the Act is imperative, even when compared to a furniture manufacturer that possibly employs 50 people. Yet even in the latter example, the personal data of those 50 employees is also on file, so there is a high degree of responsibility and adherence to the Act required there as well.
Getting your data (house) in order: layered security
As mentioned, business owners and SMEs shouldn’t concentrate on the Act itself, but should rather ensure that they understand the concept of layered security. Much like how you protect your home and business with physical security (guards, electric fences, etc.) you must now protect the data in your business both digitally and physically – and back this up with continuous education and awareness training.
Importantly, this is a systematic approach that is made up of many layers. When properly and professionally executed, it creates a robust system of defence that is effective in mitigating the massive risks that sophisticated cybercrime and data theft present today. It is also an essential strategy to make sure your SME complies with POPI and GDPR!
This approach includes the following elements:
- Endpoint Security
- Education & User Guidance
- Network Security
- Contract Support
- Server and/or Hosted Security
- Monthly Reporting
While your business rivals may be shuffling papers and making calls to understand POPI and GDPR, your SME will undoubtedly gain many critical competitive advantages by turning its focus to the more important question of data security and robust data management. By focusing on strategies such as layered IT security, savvy business owners can ensure that their employees and stakeholders will be left in peace to achieve growth and sustainability – while others get caught in the crosshairs of POPI and cyber criminals!