The deadline for South African companies to attain compliance with the regulations laid out in the Protection of Personal Information Act (PoPI), is fast approaching with the Act coming into full effect in 2018.
And, says Terry Ramabulana, head of public sector at Mazars, while PoPI has been a topic of interest for the business sector for some time now, the real pressure on how businesses should prepare for the implementation of the Act has just started.
“With the appointment of Pansy Tlakula as South Africa’s new information regulator in October of last year, PoPI will now begin to impact how all businesses conduct themselves, how information management strategies are formed and the development of new skills to manage future business,” Ramabulana says. “The principles behind PoPI are about the safekeeping of data. Many would argue that a company would have to be in possession of personal information, for the Act to apply to them. But PoPI in fact applies to information pertaining to individuals as well as companies. The responsibility of many businesses in terms of the information that they store and need to keep safe, is therefore often much bigger than they initially believe.”
Mazars offers consulting services for a number of businesses relating to PoPI compliance and Ramabulana notes that one of the most important steps in the consulting process is the initial assessment.
From an IT point of view, one of the tasks that Mazars does from the start is to ask the right questions to make sure that no aspect is left unattended as far as security is concerned, he says. “We investigate whose information is stored, what vital functions the company is storing said information for, and who within the company has access to it, among other aspects. Not only does this help in making systems compliant, but it also helps companies pinpoint information that they do not need and should safely destroy.
“From there it is also important to understand that no two companies have the same risks,” he says. “One needs to bring in the right expertise to look at the risk environment and which security controls are needed for each situation.”
But one of the most important parts of making businesses PoPI compliant is transparency, according to Ramabulana. “Once the new watchdog is in place, businesses will need to readily make their systems and processes available for scrutiny by the regulator.”
“Mazars has recently developed its own compliance tool which automates the assessment process. The tool incorporates all the relevant questions and checks. It firstly improves the accuracy of the assessment, since human interference is minimised. Secondly, it makes the results of the assessment immediately available to business owners,” he explains.
“PoPI is finally here and businesses that collect personal information now have a very real deadline for their compliance measures. Now is the time to partner with a consultant that is flexible enough to be innovative and who is able to relate to and understand the South African risk environment,” Ramabulana says.