MEDIA: Organisations May Not Be Ready for PoPI Compliance Deadlines
Recent Gauteng Business News
Both in South Africa and globally, the rising concerns of identity theft, fraud and cyber criminal activity have been escalated as a result of newer technologies and the growing popularity of social media and access to the Internet. Governments have become increasingly concerned with the purposes for which organisations collect their citizens personal information, why they keep it, and how they protect it.
POPI Compliance A Long Journey
According to a survey done in South Africa by PwC, many organisations face a long journey to becoming compliant with the requirements of this Bill, which has been drafted to give effect to the constitutional right to privacy for South African citizens.
The Bill brings a significant level of protection to both businesses and individuals on how their personal information is handled, which will hold organisations accountable for their actions when dealing with such important data. As the Bill will significantly impact on the way they do business, organisations need to change their policies and processes to comply with the new legislation.
Some larger financial institutions and telecommunications organisations have begun their privacy programmes, a few of which are relatively advanced, but even these organisations are concerned that they may not be able to complete their programmes in time for the deadline for compliance, it says.
Mark OFlaherty, a Partner at PwC, agrees that the lack of readiness is a major concern. Organisations need to begin their compliance processes immediately or else they will likely face unexpected obstacles in the road.
In addition to the pre-existing need to protect peoples personal information, the other reason that South Africa needs privacy regulation is to ensure it continues trading effectively with other countries. The Bill arises from international data protection regulation developments and the South African legislation is intended to harmonise with international practices.
The PoPI Bill is the most comprehensive piece of privacy legislation in the world at the moment, and the burden of complying with it is going to be a difficult one, says OFlaherty. For organisations with complex business processes who gather multiple types of personal information, the road to compliance is going to be much longer and more challenging.
One such challenge, which has been noted as possibly the largest of them, is the extraordinary scope of the definition personal information. The data elements can be explicitly defined in some cases, such as requiring a persons name in conjunction with certain other specified information, however the Bill currently defines personal information as that relating to an identifiable person, including but not limited to the more than 45 data elements currently listed. In addition the inclusion of juristic persons as data subjects means that the Bill has a broader reach than most global Privacy regulation and therefore wider implications.
Despite the Bills fairly lengthy description of what is meant by personal information, there are certain elements that are somewhat subjective. For example, one of the data elements included is that of preferences. Does this then mean that a persons preference for tea rather than coffee should be protected PwC therefore submits that certain of the elements included are likely to be difficult to interpret, and will probably be challenging to protect. The key is this: if you do not need the information, do not collect it, and then you will not need to protect it.
PwC suggests that organisations should establish criteria for themselves to more specifically identify personal information, where organisations clarify which information is considered personal information, whether in conjunction with other elements or not, and under what circumstances.
Our understanding of the Bill is that information is personal to the extent that it is able to identify a person, but given that it is possible to come to a different conclusion, it is essential that organisations obtain clarity on this point, adds OFlaherty.
Management of Personal Information Key to POPI Compliance
PwC recommends that organisations review their processes and data flows regarding the management of personal information. In developing processes, the organisation will need to bear in mind the life cycle of data, the data elements being collected and most importantly, when personal information will need to be destroyed as it is no longer needed. Training of employees will be essential, as the best-designed privacy programme is likely to fail if employees do not understand their responsibilities when it comes to the handling of personal information.
It may initially be wise for the Regulator to focus on awareness and training of organisations, educating rather than enforcing in the beginning an approach that has been seen in other countries. When compliance with privacy legislation becomes a mature process, the Regulator should then move to playing more of an enforcement role, penalising those organisations that do not take the necessary steps to protect the personal information they are responsible for.
POPI compliance for the POPI Bill is likely to be a lengthy, gruelling process. We encourage organisations to establish their privacy programmes soon to understand the complexities they may not have initially anticipated, concludes OFlaherty.
Business News Sector Tags: Media|