PoPIA is here.
After months of speculation and waiting with bated breath, the Information Regulator of South Africa has said that the PoPI (Protection of Private Information) Act will become effective as of 1 July 2021.
“PoPIA enforcement powers as promulgated by the President of South Africa in June 2020 will still be coming into effect as of 1 July 2021,” said Information Regulator chair Pansy Tlakula.
ITNA’s Luis Monzon had the opportunity to chat with Kevin Akaloo, National Head of Sales at Iron Mountain South Africa, a global leader for storage and information management services that is trusted by more than 220,000 organizations around the world, to get his insights into the PoPI Act – namely what companies can do to ensure PoPIA compliance and the legal penalties associated with going against the act.
Here’s what transpired:
The PoPIA Act is being implemented to further safeguard South Africans from online threat actors and help bring the country’s cybersecurity in line with international standards.
- Why should personal data be protected in South Africa? Why should companies focus on becoming PoPIA compliant before the deadline of 1 July?
South African businesses have had years to prepare themselves, their systems and processes for compliance, there are still far too many businesses that have adopted a wait-and-see approach.
Companies have had different reactions to PoPIA: some companies were dismissive of it, others welcomed it and still, others were sceptical.
Organisations need to find standardised and clinical ways of ensuring compliance internally; they need to make it part of the company culture in order to be compliant, and internal stakeholders need to understand the significance of being PoPIA compliant.
- What penalties can a company face if they are found non-compliant* after the 1 July deadline?
The following is effective from the 1st of July, section 107 of the Act details which penalties apply to respective offences.
For the more serious offences, the maximum penalties are a R10-million ($700-thousand) fine or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment.
Besides the fines, the following consequences may have major impacts if companies are not PoPIA compliant, including data breaches and their impacts on brand reputation.
- How does a South African company begin the process of achieving compliance, and what platforms or solutions are available to them in achieving this goal?
In order to have grip and sight on your data and be PoPI compliant, companies should have a grip on the whole lifecycle of their data. From creation till secure destruction at the end of the data lifecycle.
The following steps are crucial:
- Create an inventory and identify all types of data within the business.
- Separate critical data vs non-critical data.
- Have in scope where this data is being stored, who has access to it and on which systems.
- Make sure PoPIA retention periods are being honoured (for both physical and digital data).
- Develop a policy to report any kind of data breach.
- Develop a strategy for how to deal with all your data in the future.
Cybersecurity will only become more important and more pervasive as time passes and we look towards the future.
- What does Iron Mountain believe will drive the future of cybersecurity in South Africa, and even Africa?
Technology is the key driver of economic growth in South Africa and beyond. Technological progress will allow us for the more efficient production of more and better goods and services, which is what prosperity depends on.
As we keep embracing and interacting with technology the volume of data is practically exploding by day. Data breaches, ransomware, cyber-attacks will continue to rise as data being the most valuable asset on earth.
As a global player with 65 years of track record, Iron Mountain helps companies to manage their data in a safe and secure way.
- How can organisations like Iron Mountain aid those looking to become PoPIA compliant but have no idea where to begin?
We are seeing companies struggling with red tapes around the administrative cost of regulatory compliance in order to be PoPIA compliant. As an industry leader in data management, we help companies with all aspects to be PoPIA compliant.
Either through our consulting services or through different kinds of solutions, we offer to help companies digitize their businesses & manage data safely towards the future.
And we are excited to announce that we’ll soon be launching our state-of-the-art Content Services Platform in South Africa.
Our CSP will help companies extract value out of their (physical) data and do great things in combination with other data sources and AI/ML technology. Depending on the use case we can help companies unlock the potential of their data and make their next step in their DX journey.
*UPDATE: With the South African Information Regulator extending the PoPIA compliance deadline from 1 July 2021 to 1 February 2022 due to technical difficulties in its sign-up systems, and other reasons, the Regulator has said that no responsible party will be held liable for not registering by 30 June 2021.
However, offences against the act itself will be prosecuted as the act will still become effective as of 1 July 2021.