The Protection of Public Information Act (PoPIA) came into force in July last year. The Information Regulator, who oversees all PoPIA compliance in South Africa, gave organisations a 12-month grace period to get everything in order and implement the measures required to comply with the act.
Yet nearly a year later, many have yet to get started on their compliance journey and feel overwhelmed at the prospect.
“If you haven’t started, hurry,” urges Kevin Halkerd, information security officer at e4. “The Regulator has been overwhelmed with complaints already, and we expect to see them cracking down on offenders soon. The good news is once you do get started, you’ll find that it’s not as confusing as it seems – and compliance carries several benefits for your business.”
Entities are hesitant to achieve compliance because they only look at the effort involved, says Halkerd. “But if you look past that, PoPIA comes with several benefits to business. Onboarding new clients becomes a breeze if you can prove your compliance and you’ll benefit from improved security controls.
“When you take out insurance, and specifically personal information cyber insurance, so much hassle and red tape is removed. As a software as a service business, with a data aggregation department that helps entities lawfully enrich their personal information, these are just some of the benefits we’ve seen first-hand.”
But possibly the biggest benefit comes in the form of trust, he adds. “We have to remember that we live in an international community, and that the international expectation of how personal information is handled has changed. Europe’s General Data Protection Regulation (GDPR) may have made the biggest waves, but African countries like Nigeria and Kenya also have sophisticated data protection laws.
“We cannot expect to participate in a global economy without such laws. The average consumer is also using international platforms such as social media daily and now expects a certain level of responsibility in how their data is used. They want to know where their data resides and who has access to it. They’re very aware of the importance of personal information protection and wary of non-compliant businesses. Compliance immediately makes you more trustworthy to consumers.”
Non-compliance, of course, comes with several risks. The grace period has all but lapsed, and the Regulator is gearing up to take offenders to task.
“Going forward, we’ll likely see more prescriptive reviews from government around compliance with the act. There have been some severe abuses of personal information and breaches of the act already that have impacted all aspects of industry – from banking and finance to credit risk and justice. The Regulator, in fact, has been completely overwhelmed with such breaches and further complaints. We’re expecting to see some serious fines being issued soon,” says Halkerd.
Insurers have even started stepping away from the personal information field for this reason. “Many companies decide to take out personal information insurance to protect themselves against a breach instead of being proactive about information protection. As data breaches become more severe, insurers are bleeding money. Many are now cancelling their personal information cyber protection portfolios,” he notes.
It’s time to take compliance seriously, says Halkerd, and to do so soon. “The cost of a mistake is always higher than the cost of doing something right the first time, and PoPIA is no different. You may have to purchase encryption tools now, for example, but this once-off purchase pales in comparison to the fines and legal fees of non-compliance. The time, effort, and costs of mistakes are always greater than a proactive approach.”