POPI – what businesses might be overlooking
A new realm of compliance for South African businesses and government is set to arrive in 2013. Executives and business owners may soon have only 1 year to ensure their IT governance complies with the new Protection of Personal Information (POPI) Act when it is officially promulgated, which is expected to be within the first quarter of this year. The new legislation is far-reaching and will apply to any business or organisation that gathers and processes personally identifiable information (PII) relating to any employee, customer or supplier.
Drew van Vuuren, CEO of new specialist Information Security and Privacy practice 4Di Privaca, comments, “Once the legislation is law, a privacy regulator will be established, and businesses found to be noncompliant potentially face harsh consequences. The implementation period of one year set out is likely to be challenging for organisations to meet, with only a small percentage of businesses currently pre-empting the legislation by initiating POPI projects internally.”
The proposed penalties for contravention of the new legislation range up to R10 million and 10 years imprisonment, however reputational consequences could be far more financially devastating for any organisation losing public confidence.
According to Van Vuuren, POPI will be an important piece of legislation that directly affects public perception of any business. He explains, “It’s simple: as a consumer, if businesses can show that they are serious about your privacy, then you’ll have confidence in using their products or services. If they’re found to be untrustworthy, they risk losing your custom.”
Astute executives and small business owners should be proactively planning and budgeting for the incoming legislation to ensure their business is geared to deal with the various aspects of the law. And it’s not merely a case of knowing where data is, but how is it managed, processed and secured.
Van Vuuren says that while retail, financial services and government are obvious sectors with high risk of exposure, no particular organisation or sector, public or private, big or small, is exempt. He further explains that Privacy and IT governance are intrinsically linked, and outlines five commonly overlooked governance areas which may give rise to risk of exposure:
· Fragmented maturity: This occurs where differing levels of governance maturity are found within an organisation. In such cases, no enterprise wide eﬀort to coordinate decisions or consider trade-oﬀs exists.
· Decentralisation: With the likelihood of Personally Identifiable Information (PII) being processed in a decentralised manner, the probability of non-compliance to a typical centralised governance mandate is increased.
· Accountability: Governance is about accountability. The POPI legislation is intended to hold senior executives accountable for the integrity and management of PII on data subjects. Also, IT governance holds IT management accountable for the return on investment in IT, as well as the credibility of IT’s own information and controls around PII.
· Performance measurement: Accountability in IT governance requires that performance is measured, typically by implementing a form of scorecard. A POPI scorecard will have key metrics to measure the effectiveness of controls around the processing of the PII data gathered on data subjects.
· Information classification: A formal data classification process is the first step on the road to managing PII and reducing the risk exposure of the business. A lack of such formal data classification processes, identifying and controlling the PII relevant to data subjects leads to disconnects and increased risk exposure.
Justin Stanford, CEO of technology investor 4Di Group, comments, “Privacy is already an established industry sector internationally, so it’s no surprise to see it now coming to South Africa as well. In light of this, at 4Di Group we have reacted accordingly by extending our competency in this direction with the launch of a combined Information Security and Privacy offering in the form of 4Di Privaca. We are very pleased with the appointment of Drew Van Vuuren as CEO, who brings over 18 years of global experience in both fields to the table. 4Di Group is already an established player in the local technology industry, with our security software business ESET Southern Africa and venture capital fund 4Di Capital”.
Executives and business leaders need to carefully consider the implications of non-compliance to formal governance mandates generally, both for their businesses as well as for themselves, and now additionally, how they manage the impact of Privacy with the introduction and potential exposure to liability of the pending POPI legislation.