The Protection of Personal Information Bill, or PoPI, has been in discussion for years and will become a law which deals with a critical part of global society today – the increasing ability to store and process personal information. However, protecting personal information has become more and more complex due to a number of factors. These include the increasing stores of information, the access requirements needed to develop new business, the never-ending changes in technology and the risk of security breaches.
PwC, CIO Magazine and CSO Magazine’s jointly-conducted Global State of Information Security Survey took place between February and March 2010 and is based on responses of more than 12,840 CEOs, CIOs, CSOs, VPs and directors of IT and security companies. It reported that for financial services firms, 29% of security-related incidents involved the exploitation of data. Furthermore, 37% of the incidents related to current employees and another 20% to former employees. This exceeded exploitation by hackers, which was 33%.
This means that the most important aspect to get right is the protection of data and the controlling of processes around employees, when embarking on a Protection of Personal Information Bill (PoPI Bill) compliance project.
The right to personal privacy is a collective human right and is enshrined in the Universal Declaration of Human Rights, as well as the Constitution and common law of South Africa. Abuse of this right in SA (and other countries) necessitates legislation specifically designed to counter this scourge. Legislation already exists in several countries around the world, which will prevent cross-border transfer of personal information to countries which do not have such legislation; preventing cross-border business transactions.
The introduction of the PoPI Bill will certainly be a welcome development in South Africa. It aims to reduce and manage the misuse of personal information and will help the country increase its national commerce, while allowing for cross-border data flows into other countries with similar legislation.
The ability of identity theft and misuse of personal information to severely compromise a country’s corporate integrity is often under-estimated. Global businesses looking to relocate to or expand into South Africa experience hindrances as prospective investors require stronger privacy developments to protect their companies in other jurisdictions. Adopting the PoPI Bill and adhering to its regulations allows a company to operate more effectively on the international stage; while at the same time securing client trust by ensuring them their information is safe and is not subject to any abuse.
Instead of attempting to implement the PoPI Bill directly, companies should take a holistic approach to its privacy practices by first understanding what the bill wants to achieve – and what measures need to be put in place in order to adhere to its requirements.
What do companies need to know?
Forewarned is forearmed. There are five essential steps to implementing PoPI in your business:
1. Put privacy governance in place
Support and commit to privacy by establishing accountability structures and employing a Chief Privacy Officer. Since privacy is the responsibility of every person in the organisation and cannot be implemented by one person alone, it is important to establish a privacy steering committee, involving all parts of the business. These governance structures should be supported by a privacy charter, backed by solid processes around policy, principles and governance.
Consideration should also be given to governance of third parties/outsourced providers.
2. Focus on the data elements
PoPI specifically names approximately 40 sensitive data elements. This includes data elements from laws in other countries and jurisdictions, as well as industry regulations.
Identification of the data elements in the different areas of business is key, as you can’t protect data and comply to PoPI if you don’t know what it is you need to protect and where it resides. Data in transfer should also not be forgotten in this case. By consulting a list of data elements, it is easier to determine the priorities for data protection – and also what record retention processes, standards and policies should be established in order to ensure data quality is maintained. It will also help identify unnecessary stores or retention of data, which can ultimately mean cost savings and less risk of identity theft and non-compliance to PoPI, by reducing your data footprint.
3. Adopt an integrated framework and establish weakness in compliance
The principles and conditions of PoPI are based on industry good practices that have been accepted and deployed globally. Establishing an integrated privacy, security and identity theft prevention framework will not only provide a baseline for complying with PoPI, but also other compliance requirements such as PCI, FICA, RICA etc. By reviewing the actual environment against the integrated framework, control/compliance weaknesses can be identified and an improvement programme determined.
4. Privacy awareness
Inform and educate the organisation by training executives, relevant non-executives and management. Implement a training and awareness programme for all staff including IT, front-line, customer services and call centres.
Don’t try to make your employees and business partners experts in the law, but focus the training on what they need to protect, why they need to protect it, how this adds value to the company and what they should do if protection of personal information is compromised (by losing a memory stick for example).
5. Develop a road map
Once assessment has taken place against the integrated framework and the items which are most important to protect, i.e. the data elements, a PoPI compliance roadmap can be established based on the gaps identified. Prioritise weaknesses in compliance to PoPI in accordance with your risk appetite and business objectives. Identify short-term ‘quick-win’ changes (initiatives and projects).
PoPI is a journey, not a deliverable
It should be clear that PoPI is not a once-off initiative but a journey. Risk profiles will change all the time, given new technological and people challenges and new business initiatives. Consistently ensuring that staff and all those responsible for managing or handling personal information are knowledgeable about privacy requirements will not only win new business, but also establish the company as a respected player in its field.
Institutions adopting the principles of PoPI will not only position themselves in a favourable light to prospective foreign investors with similar legislation, but also support their business endeavours beyond South Africa’s borders and help them gain client trust. Consequently, awareness of privacy requirements will improve, helping organisations to comply with required law – while gaining a competitive advantage.
By Angeli Hoekstra, PwC global leader for IT Governance and SA leader for Privacy