Progress is being made to promote the protection of personal information in South Africa.
President Cyril Ramaphosa has announced the commencement of parts of the Protection of Personal Information Act (POPIA). The remaining provisions of the Act will be addressed once the Information Regulator assume its powers, functions and duties in terms of the Act.
The sections that will commence today, 1 July 2020 and include the conditions for processing personal information, procedures for dealing with complaints and provisions regulating direct marketing by means of unsolicited electronic communication.
Sections 2 – 38, 55 – 109, 111 and 114 (1), (2) and (3) commences on 1 July 2020 and Sections 110 and 114(4) will commence on 30 June 2021.
What does this mean?
According to new legislation, businesses are required to manage the complete destruction of all data when IT assets reach end-of-life.
Wale Arewa, CEO of Xperia, says businesses that process personal information must ensure that it is done in a lawful way. “The POPIA Act is designed to protect personal information, especially in the case of data breaches and data theft.”
“Compliance is fast becoming a competitive advantage. Customers don’t want to be put at risk, data breaches and issues related to regulatory compliance, associated costs and loss of reputation will have dire consequences for businesses that suffer data breaches,” he explains.
“Within one year after the commencement of the Act, all forms of processing of personal information must be done in accordance with the Act. This will ensure that companies have adequate security measures when dealing with your private information,” Arewa concludes.
With the new sections of the Protection of Personal Information Act (POPIA) being implemented, businesses need to tighten their cybersecurity as this will have an impact on their day to day operations.
The Act also aims at protecting the personal information of consumers and that of employees by ensuring that businesses conduct themselves in a responsible manner when they are collecting, sharing and storing information by holding them accountable should the information be compromised.
Companies should invest in security now more than ever
“Strong privacy requires protecting a user’s identity from unauthorised access and use, were as strong security requires binding a user’s identity to their behaviour to allow for authentication, authorisation, non-repudiation and identity management,” says Brandon Naicker, a Cybersecurity Executive at LAWTrust.
“These newly implemented POPI Act sections mean there will now be much closer scrutiny on companies when it comes to the protection of personal information. There is now an obligation on companies to disclose a data breach to the Information Regulators (IR) and every affected person,” says Rian Schoeman, head of legal at LAWtrust.
He further adds that the Information Regulator will have the option to fine a violating company and have details of their data breaches made public, bringing the reputation of the organisation into disrepute.
The act requires companies to implement security safeguards to protect the personal information of their clients and employees.
In order for companies to comply, organisations need to assess where personal information is being used, identify cybersecurity threats and weakness that could compromise the integrity of the data and put appropriate measures in place to mitigate any risks identified.
“Despite the size of your business, it is mandatory for businesses to comply with the POPIA. There are affordable ways Small and Medium Enterprises (SMEs) can position themselves to mitigate cybersecurity breaches, these can include encryption of data including emails, customer databases and contact info of external people. Acquiring a cybersecurity expert to train your employees on how to handle personal information and secure any breaches is essential,” says Schoeman.
So where should you begin? Here are three simple steps to help you get started:
1. Start with a ‘Business Privacy Impact Assessment’
Condition 7 of the Act (“Security Safeguards”), requires organisations to take “appropriate and reasonable measures” to safeguard personal information. The concept of acting “reasonably” is used in many privacy laws all over the world and requires a business to do what is appropriate to protect its data.
By conducting a business privacy impact and risk assessment, you’ll identify privacy risks in your organisation and come up with a plan to either remediate or accept them.
2. Prioritise your high-risk processes
High-risk processes should always come first. Start with client/customer personal data and work your way towards employee personal data.
This will involve collaboration with many departments, so executive buy-in is a must; and privacy compliance should be pitched as business enablement.
3. Drive a Privacy & POPIA Awareness Campaign
Employees need to be made aware of and get trained in the security requirements of the organisation as well as learn about the basic POPIA privacy principles and how to apply these at work.
Security awareness training for employees is one of the most effective means for reducing the potential for costly errors in handling sensitive information and protecting company information systems.