Why you should care about POPI
The Protection of Personal Information (POPI) Bill is expected to be signed into law in South Africa in 2013. Experts in the field of PCI DSS (Payment Card Industry Data Security Standard) compliance security solutions say the proposed legislation seeks to protect the privacy of individuals and support the judicial system and the enforcement of the law on those who negligently disclose private information.
Responsibility and compliance is not exclusive to the IT department – once passed, the law will have implications for everyone within a business, irrespective of size or focus.
This is just one of several aspects of the Bill that companies have to be aware of. Industry experts say many companies are unsure of what POPI is or what needs to be done to comply with it.
Personal information in the context of this Bill refers to information that can uniquely identify, or is linked to an individual, including contact information and personal identification information – all of which must be protected.
The proposed legislation has been under review for more than a decade and in that time certain companies have gone as far as they can to prepare, which alleviates much of the effort once the Bill is passed. Others, particularly smaller organisations, are arguably more agile and flexible and will react once the Bill is enacted.
Andrew Kirkland, Country Manager at Trustwave South Africa, says POPI will set in motion changes to IT infrastructure, operations, policies and procedures, and all companies will have to adhere to these changes – and there is a cost associated with this as well.
“IT is no longer solely responsible – business folk, receptionists, secretaries, security personnel, senior management – everyone across the organisation will need training and a clear understanding of policy and procedure changes,” he explains.
According to Kirkland POPI has been generally welcomed in the market, despite grumblings amongst companies over the costs involved in meeting and maintaining the standard, as well as operational costs that make it difficult for smaller organisations to maintain compliance.
Compliance involves businesses adhering to eight principles, these are: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.
In order to comply with these principles, any business in South Africa must follow the policies, processes and procedures designed to protect information – with no exceptions.
Businesses do have a number of technologies available that are designed to assist with compliance. Examples include SIEM (Security Incident & Event Management) to monitor the infrastructure and report on issues; WAF (Web Application Firewall), more specific to websites used for commerce, to identify and block irregular behaviour.
In addition, awareness is a critical facet of being prepared. Business can look to invest in Online Security Awareness Education programs, physical education sessions and proactive security bulletins.
The key is to maintain compliance says Kirkland. Too often companies become compliant and then fall out of compliance because they fail to follow the policies they put in place – and this is when transgressors take advantage.
Should this happen, what is the recourse action available to employers and employees?
Kirkland says depending on the severity of the data loss, transgressors can potentially face jail time, receive hefty fines or – in the case of employees – lose their jobs.
“Consumers could sue the company which may lead to severe damage to reputation. There is certainly recourse of some sort that can be taken on both sides. And consider the loss of trust that will impact any bottom line,” he adds.
With the official introduction of the Bill, South Africa is believed to be setting a precedent as far as protection of individual information is concerned. Other countries across Africa are considering the legislation and have adopted the mindset that it is necessary to keep this type of information secure, but South Africa has taken a leadership position.
Chris Tredger, Online Editor