The Protection of Personal Information Act (POPI), which may be enforceable in the next few months, is currently a hot topic for many businesses. Whereas previous regulations around information security and privacy have focused strongly on the financial services and insurance industries, POPI is almost universally applicable, imposing harsh penalties including possible legal action against or hefty fines on organisations that do not comply.
“POPI is a very comprehensive piece of legislation that goes beyond pure data security and archiving practices down to the very processes and data transportation routes. The way documents are processed is now more important than ever, so that any and all customer personal information needs to be secured, including information workflows that could potentially expose this information,” says David Luyt from Michalsons.
“Proper signatory processes are essential to ensure that all documentation is legally binding – from internal HR forms, through to financial notifications, to external customer contracts. However, the typical practice currently used to collect the required signatures – email, print, sign, scan and repeat – exposes this information to risk in contravention with POPI,” says Avi Rose, regional sales manager: South Africa at DocuSign.
For example, when a vendor generates an order, Service Level Agreement (SLA) electronically or any other customer agreement. These documents are sent to a client via email or fax, are then printed by the customer for signing with an insecure wet-ink signature. These documents are then scanned and emailed back to the vendor with an insecure digitised signature or couriered back to the vendor. This process may even be repeated numerous times for co-signing.
Adds Luyt: “This creates numerous copies of the same document, all of which include sensitive personal information such as address, ID numbers, or account numbers (the unlawful disclosure of which is a criminal offence under POPI), making them accessible to others in the office. When POPI commences fully, this practice will no longer be acceptable, as personal information must be kept secure and confidential. “
With this in mind it becomes obvious that all signature-dependent processes need to be carefully considered in light of POPI, as unsecured steps such as printing, scanning, faxing, and emailing documents could result in non-compliance. As a result, many organisations are now looking toward electronic signatures as a potential solution with numerous benefits, including improved efficiency, lower costs and support for the transition toward a paperless office.
“Electronic signatures provide a complete, tamper-evident audit trail with time and date stamps, which ensures that accountability can be easily identified in the event of a breach. By using them, any changes to security policies, processes and other documents requiring a signature will be far easier to manage, clearly showing who approved which change when and at what time. In addition, electronic signatures can dramatically speed up the time it takes for security policy changes to be approved. With a wet ink process, the policy must be printed and then physically signed, often by up to five different people, which is not only inefficient and time-consuming but can be risky since the time it takes to sign off the security policy might be critical. This is because the new policy needs to be approved before deployed and during the sign off period the organisation might be exposed to a security threat,” adds Rose.
As POPI enforcement looms ever closer and the potential penalties become clear, organisations need to make sure that they implement a signature automation solution which complies with POPI. It needs to support the highest levels of information security, provide the ability to tightly control workflow, and enable users to obtain the required signatures without exposing sensitive data.
Electronic signatures can help to contribute to the easier adoption of POPI compliant processes. However, there are several aspects that organisations need to bear in mind when adopting a signature automation solution. Firstly, organisations need to decide whether they require an in-house solution or a cloud-based one, and whether this can be done without further risk or exposure of data. Furthermore, electronic signature solutions should integrate easily and seamlessly into existing document management systems to minimise disruption and maximise adoption.
“With the prospect of POPI enforcement looming over many organisations’ heads, now is the time to examine all existing processes for compliance. In particular, when signing documents, electronic signatures can help organisations to ensure that personal customer information remains private and confidential. They provide a full audit trail and can integrate into workflows to minimise data exposure, as well as help the organisation to more tightly manage all signatory processes. Ensuring that your electronic signature solution supports POPI compliance can ease the process of gearing up to handle this new piece of legislation,” concludes Luyt.