With the deadline fast approaching for South African organisations to become POPI compliant, many organisations have entered panic mode. The Protection of Personal Information Act, or POPI, is five years in the making, and comes into force on 1 July 2021.
The Act threatens harsh fines of up to R10-million for non-compliance, and in extreme cases, even jail time. Complying with the Act is time-consuming, and many organisations have left it until the last minute to become compliant.
But there’s no reason to panic, experts say. The Act is a good thing for SA, and there’s still time to start putting steps in place to make sure your organisation doesn’t break the law.
This is according to a panel of experts hosted by the Mail & Guardian and Trend Micro, who unpacked POPI and what it means for SA in a webinar on Tuesday.
Nadine Mather, senior associate at law firm Bowmans, said the Act comes from an increasing focus on what companies can do to avoid data breaches internationally. SA was behind the curve in this regard and needed legislation to prevent data breaches, and protect the right to data privacy, she said.
“This is the end of an era when South African organisations collected information whenever they saw fit,” she said.
Emmanuel Tzingakis, Technical Lead for Trend Micro Sub-Saharan Africa, said organisations need to take a “holistic approach” to data protection.
“Many people, when they hear ‘cyber security’, they think ‘technology’. But there are other ways to protect your data and companies aren’t aware of that.”
For example, Tzingakis said identifying and classifying the information in your organisation’s environment will help to determine how to protect it. It is also important to train employees to understand POPI.
Zaheer Ebrahim, Sales Engineer at Trend Micro, said more and more South African organisations are starting to consolidate information and keep it in one place, such as a cloud service, and this is “encouraging”. Keeping data in a centralised location helps to manage the data that’s there, he said.
“Once I can identify the data, I can control how the data moves in and out of my organisation,” said Ebrahim.
Mather cautioned, however, that if the cloud is based in an international jurisdiction, this could constitute a breach of POPI.
“It is great that organisations are using cloud technology a lot more, but the cloud is generally situated in other jurisdictions, and POPI does seek to regulate the transfer of information across borders. And the Information Regulator has said that the storage, or transfer of personal information to a cloud situated outside of South Africa would constitute a cross-border transfer. So in these circumstances there is a general prohibition on it, but subject to the fact that the third party receiving that information is subject to a law, or binding corporate rules, or a binding transfer agreement that provides adequate protection, that upholds the principles contained in POPI,” Mather said.
The panellists agreed that working from home during the Covid-19 pandemic had added another layer of concern regarding data protection.
The Act also poses a challenge to companies that send out marketing smses or emails to stored databases. Mather said POPI requires that anyone on those databases must “opt in” before companies can send marketing materials to them.
And consent was not enough — “informed consent” is now the rule. This means that companies will now have to explain to their potential customers exactly what data they will be collecting and what they intend to do with it.
Becoming POPI compliant may seem onerous and expensive, but there are simple and cost-effective ways to ensure that your data is protected and businesses remain compliant, said Ebrahim.
Tzingakis said a data breach can cost companies up to R42-million, and that’s excluding the cost of reputation damage. Recovering from a data breach can take up to 55 days, he added.
Organisations can also be fined up to R10-million and, in extreme cases, non-compliance can result in jail time, said Mather.
So, with just a month to go before the POPI Act comes into effect, is South Africa ready? Tzingakis said the country was indeed ready for this legislation, but SA’s “security maturity is not there yet”.
“A lot of work needs to be done and the POPI Act will help people to reach that level … Where people might fall short is assuming that it doesn’t apply to them if they’re small or medium (enterprises),” he said.
He added that it was important that organisations are not afraid of POPI.
“Don’t be scared of the POPI Act. It’s there to help. The Act is very clear on how information can be protected. If organisations understand what data they have, where it sits and how it is used, you can put the right processes in place,” Tsingakis said. — Sarah Evans