The new Protection of Personal Information Bill (POPI) is set to create a new role for specialised compliance officers within enterprises, says Ayanda Dlamini, Business Development Manager of LGR Telecommunications.
The new Protection of Personal Information Bill (POPI), now being signed into law, ensures the protection of personal information on a level unprecedented in South Africa. The benefits of this new legislation include protection of customers’ rights to privacy, and the elevation of South Africa’s standards of data protection to meet world standards. As a result, South African business will be in a position to welcome more international businesses willing to work with them because the country has sound data governance frameworks in place. The harmonised data protection policies will also reduce the risks of sending sensitive data.
However, with a regulator to be appointed with the power to impose fines of up to R10 million, along with prison sentences for non-compliance, there will be no margin for error when it comes to compliance.
The responsibility rests with the most senior executives – the CEO, MD and Financial Director, who will be held personally liable for non-compliance. Considering that recent research indicated most local businesses were unprepared to meet the requirements of the new legislation, senior management should now be taking urgent steps to ensure that their enterprises will be ready to comply with POPI.
Compliance with POPI will impact a broad spectrum of departments and processes – from communications with customers, to data capturing and management, to cloud computing and branch interactions. Even internal data – such as that collected and stored by HR – will be impacted by the new legislation. POPI will not just impact on digital data – its effects will be felt in communications and manual data records too. Steps must be taken to ensure that the processes in place meet the POPI requirement that the person to whom the personal information relates is aware of the purpose for which the information is collected. Those people will have the right to get details of the information companies hold on them. Clear distinctions must be made between types of information gathered and stored, and certain data must be destroyed within certain time frames.
In future, formal processes will have to be introduced to manage and secure the flow of data throughout the organisation.
Compliance with POPI may require the major revision of multiple processes, in consultation with legal consultants, IT and management. Therefore, we will see a need emerging for a project head and liaison between IT, consultants, business divisions and management, which will drive the creation of specialised consulting teams and the role of the Personal Information Protection Compliance Officer in the enterprise.
Whether the function is insourced or outsourced, the POPI Compliance Officer will have to assess the framework of data warehousing and BI, enterprise mobility and BPM. An action plan with key deliverables must then be put in place for the overhaul of processes – from the input of data, to storage, management, retention, and security, and systems will have to be introduced for regular review and audit. The POPI Compliance Officer will also have to be consulted on the introduction of new processes and communications channels, to ensure that they are compliant.
With the legislation now being passed, South African enterprises can expect to be given only around one year to become compliant. Considering the magnitude of the task at hand, organisations will need to begin their compliance planning now – whether they have allocated budget or not.