On 25 May, the European Union’s new General Data Protection Regulation (GDPR) came into effect. The long awaited law changes the way in which companies are required to collect, store and process personal information, and affording EU residents better protection and greater control.
While the GDPR has helped to bolster the consumer rights and protections for the EU, many companies were ill prepared when it came into effect.
South Africans can look forward to similar protection as a result of the Protection of Personal Information Act (PoPI). The Act is anticipated to follow GDPR, with implementation expected later this year, after which institutions will have a one year grace period to comply with the new regulations.
“This will have a significant impact on businesses that collect and store personal information,” says Sonja Visser, CEO of African Unity Life (AUL).
“Therefore, companies will need to make sure that they are ready and compliant for when this kicks in.”
Visser explains that the Act now requires that organisations obtain the consent of data subjects ahead of collecting information, as well as to stipulate exactly what kind of information they need and why they need it.
“Information must also be destroyed if the subject requests it. Safeguards will need to be put in place to protect this information and individuals must be notified in the event of any unauthorised access.”
The Act will have many positive implications for consumers, whose sensitive information will now be safer than ever before. However, Visser believes that implementation may present some challenges for organisations who will need to have the right technology and processes in place to ensure that they comply.
She says that insurers will naturally have to comply with these regulations, and will be faced with the challenges of balancing an individual’s right to privacy with business practicalities and the costs of compliance.
“It is therefore important for companies to commence immediately with the roll out of a PoPI compliance programme because comprehensively addressing all the elements of the new act is likely to take some time.”
Businesses or individuals that fail to adhere to the conditions prescribed by the act could face serious consequences including a fine of up to R10 million or a maximum of 10 years in jail.
AUL has always protected its clients and their personal information, however, the organisation acknowledges that in a fast-changing world, the reliance on digitally stored data is a growing security concern. For this reason, the insurer has set up a compliance and risk monitoring plan, through which it has identified weak points and created a strategy for addressing issues and boosting compliance.
“The plan enables us to assess the controls and address shortcomings in our business processes, and to review these on a regular basis,” says Visser.
AUL has provided training to its staff members to inform them of the consequences of the Act. The insurer’s intermediaries are also provided with regular notices from the compliance department to keep them up to date with legislative changes.
“Our intermediaries are aware of their responsibilities and have provided for such requirements as obtaining consent from their client for personal information being provided to insurers or other relevant third parties,” says Visser.
The company is also implementing IT systems and strengthening its security systems, so that unauthorised individuals will be unable to gain access to any information.
“As we are an authorised financial services provider and insurer, our customers’ trust has always been vital to us. We remain committed to the protection and safeguarding of personal information and support any legislative changes that will help us achieve this,” Visser concludes.