The Protection of Personal Information Bill (POPI), now being signed into law, is set to change the way information is managed within enterprises radically. While on the one hand, this is a positive move in that it better protects the rights of citizens and puts South African data protection practices more in line with international best practice for data protection, it also presents some challenges.
A recent survey by Cibecs business data protection found that only 26% of respondents are actively adjusting their processes and looking for technologies to ensure they comply with POPI. If these businesses are still "looking to" comply, we can safely assume that the vast majority are unprepared for compliance with the legislation. Usually, companies are given up to a year to comply with new legislation, but considering the scope of this particular bill, a year may not be enough.
The Bill radically changes the way that data must be captured, stored and secured. Aiming to prevent the negligent disclosure of information, it protects a wide range of data - from ID numbers and contact details, through to medical history, religion, education, financial history, sexual orientation and even biometric data and online identifiers. In future, enterprises will have not only to revisit their data storage and security - they will also have to overhaul many of their processes in order to ensure compliance.
For example, a telco customer buying a cellphone for his child might in the past have simply added a second SIM card to his account. Data from this SIM would have been stored along with that from the primary SIM. However, in line with POPI, certain data on minors may not be processed. In future, the telco will have to change its data input processes to ensure that data relating to minors is flagged and not captured along with the data relating to adults.
POPI will impact on the internal operations of the enterprise too. Information previously captured and stored by the HR department relating to staff must now be treated more circumspectly. Internal business processes will have to be amended to ensure full compliance with the law.
Data warehouses will have to have new processes inherent in the capture and profiling of data, with compliance built in from the point of entry, through to processing and storage of data and the management of data transfer.
In cases where data is moved across borders, contracts must be drawn up with cloud service providers and carriers to ensure that the provisions of the legislation are met, even when the data resides outside of South Africa's borders. The implications for enterprise mobility will also have to be assessed, as the legislation will relate to information captured across a variety of channels in a variety of formats.
The task of ensuring POPI compliance cannot be left solely to technology - data profiling and meta management tools, which may help to filter and flag data in order to comply in certain respects, may not be mature enough yet for the enterprise to depend entirely on them. The new legislation provides for penalties including imprisonment and multimillion rand fines, therefore every effort will have to be made to comply.
Adapting to these new provisions will require careful planning and collaboration from a multi-disciplinary team. Now, data management and processes must move beyond the domain of IT, into the legal and risk departments, and must include top management. With the potential for penalties imposed by a regulator, in addition to civil suits for non-compliance in the not-too-distant future, enterprises need to turn their attention to POPI now.
