The Protection of Personal Information Act, 2013 (POPIA) came into full effect from 1 July 2021.
The Act is the comprehensive data protection legislation that obliges organisations to lawfully process the personal information of data subjects (both natural and juristic persons) by applying specific principles and conditions. But how will it affect the payments space specifically?
“As businesses in the payments industry process copious amounts of personal information, they now have to change many elements of the way they operate in order to accommodate the Act,” says Cecil Munsamy, MD of AVeS Cyber Security and a consultant to Pay@.
“These businesses now need to have extensive compliance programmes in place to ensure that they deal with personal information on behalf of their clients such as bill issuers in the correct manner,” adds Marlouise Verster, legal officer at Pay@.
“Bill issuers are viewed as the party primarily responsible for user data in the eyes of the law. Should there be a breach, the responsible party is obligated to report the breach to the Information Regulator as well as to the data subject whose information was exposed or compromised. They will also need to take mitigating steps to address reputational damage and business interruptions, not to mention stakeholder and customer confidence.
“Failure to comply with certain provisions of POPIA may result in the Information Regulator imposing an administrative penalty of up to R10 million or jail time of up to 10 years, or both.”
Verster notes that the measures and level of security that payment processors put in place will often depend on the type of information being processed and the sensitivity thereof, and adds that these will also need to be revisited regularly to ensure that they remain appropriate.
Additionally, she says that while there currently aren’t specific Codes of Conduct or Guidance Notes / Notices for the payment industry, there might be in future, given the sheer amount of guidelines posted by the Regulator prior to the implementation of the Act.
Munsamy shares that, in the past, companies were more focused on technology rather than on how they govern technology.
“Because information security wasn’t viewed holistically, there were gaps which led to breaches and information security incidents. POPIA mandates that best industry practice be applied to the governance of the business space. Implementing all of the controls required for information security mitigates the risk of incidents, which in turn lowers the likelihood of breaches.”
“Although implementation of all these new compliance programmes and policies will take a while, in the long-term it will be a good thing for the industry because it is motivating best practice and aligns South Africa’s data protection laws with those of other countries and international standards. This could potentially open up business opportunities for South African businesses in the payment space as they will be able to demonstrate compliance,” concludes Verster.