As the Parliamentary Technical Committee continues to deliberate the Protection of Personal Information (PoPI) Bill in preparation for its likely enactment in 2012, there are challenges that organisations are likely to face when complying with the Bill’s requirements.
Both in South Africa and globally, the rising concerns of identity theft, fraud and cyber criminal activity have been escalated as a result of newer technologies and the growing popularity of social media and access to the Internet.
Governments have become increasingly concerned with the purposes for which organisations collect their citizens’ personal information, why they keep it, and how they protect it.
According to a survey done in South Africa by PwC, many organisations face a long journey to becoming compliant with the requirements of this Bill, which has been drafted to give effect to the constitutional right to privacy for South African citizens.
The Bill brings a significant level of protection to both businesses and individuals on how their personal information is handled, which will hold organisations accountable for their actions when dealing with such important data. As the Bill will significantly impact on the way they do business, organisations need to change their policies and processes to comply with the new legislation.
“Some larger financial institutions and telecommunications organisations have begun their privacy programmes, a few of which are relatively advanced, but even these organisations are concerned that they may not be able to complete their programmes in time for the deadline for compliance,” it says.
Mark O’Flaherty, a Partner at PwC, agrees that the lack of readiness is a major concern. “Organisations need to begin their compliance processes immediately or else they will likely face unexpected obstacles in the road.”
In addition to the pre-existing need to protect people’s personal information, the other reason that South Africa needs privacy regulation is to ensure it continues trading effectively with other countries. The Bill arises from international data protection regulation developments and the South African legislation is intended to harmonise with international practices.
“The PoPI Bill is the most comprehensive piece of privacy legislation in the world at the moment, and the burden of complying with it is going to be a difficult one,” says O’Flaherty. “For organisations with complex business processes who gather multiple types of personal information, the road to compliance is going to be much longer and more challenging.”
One such challenge, which has been noted as possibly the largest of them, is the extraordinary scope of the definition “personal information”.
The data elements can be explicitly defined in some cases, such as requiring a person’s name in conjunction with certain other specified information, however the Bill currently defines personal information as that relating to an identifiable person, including but not limited to the more than 45 data elements currently listed.
PwC recommends that organisations review their processes and data flows regarding the management of personal information.
“In developing processes, the organisation will need to bear in mind the life cycle of data, the data elements being collected and most importantly, when personal information will need to be destroyed as it is no longer needed. Training of employees will be essential, as the best-designed privacy programme is likely to fail if employees do not understand their responsibilities when it comes to the handling of personal information.”
It may initially be wise for the Regulator to focus on awareness and training of organisations, educating rather than enforcing in the beginning – an approach that has been seen in other countries.
When compliance with privacy legislation becomes a mature process, the Regulator should then move to playing more of an enforcement role, penalising those organisations that do not take the necessary steps to protect the personal information they are responsible for.
“Compliance with the PoPI Bill is likely to be a lengthy, gruelling process. We encourage organisations to establish their privacy programmes soon to understand the complexities they may not have initially anticipated,” concludes O’Flaherty.