The promulgation of the Protection of Personal Information (POPI) Act into law will result in severe penalties if an online business does not adequately secure the personal details of its customers stored online.
According to the Act, personal information is defined as any information relating to the education, medical, financial, criminal or employment history of a person.
This includes any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular information relating to the person, as well as the name of the person (if it appears with other personal information relating to the person or if the disclosure of the name would reveal information about the person).
The Act is forcing companies to reassess how they process personal information. According to POPI, processing includes the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use of personal information.
In the case of a breach, companies will need to prove that they took appropriate and reasonable technical and organisational measures to ensure the confidentiality and integrity of personal information – this would be to prevent the loss of, damage to, unauthorised destruction of and the unlawful access to the personal information.
Providing customers with an online shopping experience has very much been a beneficial opportunity for both parties – customers get added convenience and variety, while the online business experiences massive cost-savings and business agility. Global e-commerce is reportedly projected to increase 13.5% annually over the next three years to reach an estimated $1.4 trillion in 2015. Consumer buying habits are changing, with growing numbers of people shopping online.
However, regardless of this growing trend, unless the customer’s details are properly secured according to the POPI Act, online businesses can suffer great losses. Data breach penalties include prison terms (of up to 10 years), fines (of up to R10 million) and devastating reputational losses for the company.
Up to now, information security has largely been regarded as a grudge investment, largely due to the lack of data breaches publicised in South Africa media. However, the US Federal Bureau of Investigation (FBI) recently listed South Africa as sixth most active cybercrime country in the world and informal consensus places it third behind Russia and China.
South Africa is far from immune to the ever-increasing rate of cybercrime, and the POPI Act is set to hold companies accountable for personal information data breach incidents. South Africa’s increasing reliance on the Internet, including online shopping, may offer many benefits, but it also provides more opportunities for cybercriminals to exploit.
It is important to remember that although POPI compliance may seem like a logistical nightmare for companies, the advantages far outweigh the challenges. Not only will it bring your company up to international data law standards, but it will help you get invaluable insight into your customer data.
This legislation will prove a vital tool to ensure the privacy, integrity, and security of a company’s data and in the process, empower not just the company, but its customers as well.