Top tips for businesses to ensure POPI compliance

In light of the looming commencement date when the Protection of Personal Information Act (POPI) will officially apply, it is vital for all SA businesses to take the necessary steps to ensure compliance.

This is according to Gianmarco Lorenzi, Managing Director of Cleardata – a group company of JSE listed Metrofile Holdings Limited, who says that familiarising yourself with the legislation surrounding POPI is not a simple task. “Businesses may need to alter processes completely and may even need to hire a dedicated manager who ensures that all processes are carried out in accordance with the industry specific requirements.”

One of the most important areas of POPI compliance involves the requirement for confidential destruction of any documents containing personal details, says Lorenzi. He adds that failure to comply with the act can lead to fines and penalties as well massive reputational damage.

Lorenzi suggests the following tips for businesses to keep in mind when planning a strategy to ensure POPI compliance when it comes to document destruction:

Delegate the responsibility: For many industries, the procedures surrounding the POPI legislation can be overwhelming, especially if an in-house specialist has not been appointed to facilitate the process. In such cases, it is vital that businesses employ the services of a reputable information destruction partner that is compliant with international standards document destruction, he says. “When document destruction is outsourced, organisations can focus on their core business and leave it to the experts to ensure that confidential documents and records do not fall into the hands of unauthorised parties.”

Do not neglect physical documents: Lorenzi says that while the business’ management team may often think that the confidential paper destruction aspect of the business is taken care of, it may in fact be neglected or omitted entirely. “Businesses must be sure that documents are shredded in a secure location by a National Association of Information Destruction (NAID) compliant service provider whose practices are in-line with international security guidelines.”

Get rid of the clutter: Lorenzi says that management teams must know what information is stored on paper and what information is stored electronically and implement an appropriate destruction protocol in this regard throughout the organisation. “It is important to ensure that employees only store information that is required for the business and ensure that expired records are destroyed timeously and effectively.”

Know the threats: Lorenzi points to the 2014 Metrofile Information and Records Management Trends Index, which indicated that 19% of the 200 management executives surveyed have either personally experienced identity theft or know someone who has fallen victim to the white collar crime over the past 12 months. “While identity theft and corporate crime are the major concerns, as the company could be held liable for the identity theft or financial losses experienced by a third party, it is not the only risk organisations face. Criminals can also steal physical documents which may contain client contact details and can add these contact details to mass-marketing data-base that issues spam emails, text messages and direct marketing calls.”

He advises that sectors including government, banking, medical and financial services should be most cautious when disposing of documents containing personal details due to the massive amount of personal information they deal with on a daily basis.

“When destroying unwanted personal information, shredding is still the most effective data destruction method as it ensures the documentation cannot be reconstituted in any way. Failing to destroy personal customer information properly could lead to severe consequences which includes hefty fines from the regulator,” Lorenzi concludes.

This article was supplied in press release form by Epic MSL Group.