This is the view expressed by Michiel Jonker, Director: IT Advisory at Grant Thornton during an interactive POPI workshop held at the firm’s Johannesburg offices recently. The discussions featured presentations by esteemed POPI legal expert Lucien Pierce, Owner at Phukubje Pierce Masithela Attorneys, Dr Peter Tobin CEO of IACT-Africa, Oupa Mbokodo, Director and Head, IT Advisory at Grant Thornton and Jonker.
Newly established Information Regulator, Adv Pansy Tlakula, announced in March that her office should be fully operational around December 2017 and from that time institutions would have a 12 month grace period in which to become fully compliant. The Regulator will be responsible for monitoring and enforcing compliance and handling complaints related to breaches of data privacy.
The POPI Act, which was signed into law by President Jacob Zuma in 2013, regulates how anyone who processes personal information – such as ID numbers, telephone numbers and addresses among others – must handle, keep and secure that information. It carries strict and substantial penalties for contravention, including prison terms and fines of up to R10-million.
“Companies and government departments especially should not underestimate how much time they will need to review and then implement appropriate systems,” cautions Jonker. “The Act will affect anyone who deals with private information – from video footage recorded in public areas to signing the visitors’ book at an art gallery, the Act requires that all such information be adequately protected.”
Jonker points out that ensuring POPI compliance is a time-consuming process that starts with a comprehensive gap assessment across the entire physical and digital information storage infrastructure – from the call centre agent to the executive personal assistant. Once the gaps have been identified a privacy strategy can be put in place to ensure that the organization complies with the legislation.
The compliance strategy needs to include a combination of activities like reviewing business processes, assessing the technologies needed to safeguard the information and creating awareness across the organization so that employees know how to treat data.
Jonker says, “much of POPI really filters down to individuals and their actions. Employees need to be fully aware of what data they are collecting, they need to define exactly why they’ve collected said data, who is processing the information and for what reason. For example, in some instances staff are collecting data and then passing it on to a third party for processing. They need to know how that data will be protected and when no longer needed, how it will be destroyed.”
Jonker points out that under the POPI legislation, individuals, organizations and government departments would be held accountable and they also risk legal action for not adequately protecting personal information.
“If the POPI Regulator were operational already today, an organization suffering a data breach due to theft or cyber hack, for example, would have had a case to answer should it be found that they did not take adequate steps to protect the data, or if their security systems were inadequate in protecting such highly confidential information” says Jonker. “The sooner institutions start with the process in order to properly comply with this legislation, the better.”
It would appear though that there are differing levels of awareness in the private sector relating to cyber security attacks, which includes data theft. Data extracted from Grant Thornton’s International Business Report (IBR) conducted in South Africa in 2015 indicated that 91% of businesses were aware of the POPI Act and were taking steps to comply with it. However, for the last quarter of 2016, IBR data surveyed from more than 100 SA businesses indicated that only 25% foresee that they will be affected by cyber-attacks such as data theft.
The IBR findings indicate that cyber security threats that could lead to data breaches are still not taken seriously enough – which is a major risk to POPI compliance. And noncompliance, Jonker says, carries significant consequences in that all indications are that the Regulator will throw the book at anyone who fails to protect personal data.
Under the Act, companies are obliged to report any loss of information to the Regulator, the relevant industry body for the organization and also to the victim affected. Companies will also be required to inform them of what steps would be taken to rectify the situation. In addition consumers will have the right to complain to the Regulator if individuals believe their personal data has been breached, following which the complaint will be investigated and any guilty parties would be sanctioned. In addition, industry bodies would also be responsible to ensure that their affiliates are abiding by the new prescriptions of the Act.
“Companies will have to prove that they have taken every reasonable step to protect the information they have gathered. While it is not expected that small business must have the same measures as large corporate entities, even they must show that they have a basic system or policy in place, Jonker said,
“To this end, burglar bars and locked cabinets would suffice as evidence in for example a small business, not handling extremely sensitive information. A large corporate entity, however, would require comprehensive non- IT and IT and data storage mechanisms and systems (especially if they handle sensitive data) and it would need to prove that it had effectively communicated this policy to its employees and trained them adequately as well,” he concludes.