Proactive compliance means POPIA won’t be a burden

With just a year’s grace to achieve compliance, organisations need to take proactive measures now to align with the guidelines of the Protection of Personal Information Act (POPIA).

However, they should note that the Act should not be seen as a burden, and rather as an important set of guidelines to safeguard both businesses and their customers.

This is according to Sarisha Kisten, a practising attorney in KwaZulu Natal and the MD of legal advisory Enyuka Consulting, addressing a webinar hosted by the KwaZulu Natal chapter of the Institute of Information Technology Professionals South Africa (IITPSA).

Outlining key pieces of data protection and privacy legislation – Europe’s General Data Protection Regulation (GDPR) and South Africa’s POPIA – Kisten says: “Compliance with data protection and privacy legislation goes beyond regulatory compliance, it’s about protecting your organisation’s reputation and people’s right to privacy.

“Personal data is a commodity which is often sold to data brokers. Whether people are using navigation services, adding their details to a Covid-19 registry or using biometric access systems, they are sharing personal information, and it needs to be protected.”

Kisten says data breaches could have devastating consequences. For an individual whose data was stolen, it could result in them having to change passwords frequently, enact credit freezes, conduct identity monitoring – and possibly being defrauded.

For a business, it could negatively impact a business’s reputation through loss of brand value, loss of trust and potentially financial losses.

“The motive behind GDPR is to standardise privacy laws across Europe and protect citizens’ right to privacy – it is reshaping the way data is handled across every sector.”

She explains that the GDPR applied to any company that stored or processed personal information about EU citizens – If your business offers goods and/or services to citizens in the EU, then you will have to consider GDPR compliance. In addition, businesses will need to comply with GDPR even if they do not have a business presence in the EU but do business with EU citizens.

“South African businesses are urged to examine GDPR in relation their business operations to determine the applicability of the regulations,” Kisten says. Non-compliance with the GDPR could result in penalties which could be a costly mistake for businesses.

POPIA, which aligns with best practice legislation such as GDPR, commenced on 1 July this year and allows for a 12-month grace period until 30 June 2021 for organisations to comply.

Kisten explains that POPIA aims to protect personal information processed by public and private bodies, set conditions or guidelines on how personal information should be processed, issue codes of conduct to regulate certain industries and how they manage personal information and provide for the rights of persons regarding direct marketing.

The Information Regulator is tasked with monitoring and enforcement.

Kisten says that, while POPIA made provision for fines of up to R100million and up to 10 years’ jail time, enforcement would likely start with a notice of non-compliance issued by the Information Regulator, and that time would likely be allowed for any non-compliance to be rectified.

Kisten adds that it is important for organisations to understand what was meant by personal information and processing:

“Almost all South African businesses keep information about staff and customers, and very few will be exempt from POPIA.”

POPIA will apply to any personal information that can be traced back to an individual – including photos.

“Non-compliance could be raised by a breach, in an audit by the Information Regulator, or in a civil case. Organisations need become aware of the penalties, as well as the risks of reputational damage and losing customers and employees,” she says.

Kisten recommends that organisations should move now to become compliant with POPIA and other best practice data protection and privacy laws.

She says the roadmap to compliance should start with the appointment of an information officer and/or a POPIA committee, and then go on to analyse all data processing activities within the organisation.

“Businesses must consider all facets of data processing in all divisions and all departments,” she says.

Organisations also need to train relevant staff on POPIA, she adds. “Awareness is important, because it brings about a culture shift.”

There is also a need for businesses to ensure that POPIA principles were integrated into contracts, procedures and terms and conditions.

“POPIA measures need to be implemented throughout the business, and policies and procedures must be continuously reviewed and updated to remain compliant.”