How PoPi will change your business

Johannesburg, 23 May 2018
Read time 6min 50sec
Carl Townsend, ovations product lead, Ovations Group.

Are businesses prepared for PoPi?

Gary Allemann, MD, Master Data Management: Some businesses are better prepared than others, but some are waiting to see what will happen when the regulations are released within the next 12 months.

When similar legislation was introduced in Europe, we saw that 12 months was not nearly enough time to prepare. Businesses should have started preparing yesterday. The longer they wait, the bigger the potential implications.

Rian Schoeman, head of legal, LawTrust: I've spoken to large institutions like the banks about their preparations for PoPi and they've said they are two years into discovering where their important information is stored.

Thomas Reisenberge, regulations and compliance lawyer, Legalese: I work with a lot of small businesses. What I've discovered is that companies that are just starting out do not see compliance with PoPi as an additional thing that's onerous, on top of the other regulatory stuff they also have to do.

Thomas Reisenberge, regulations and compliance lawyer, Legalese.

Companies that are well established, however, have a problem because they have to reverse-engineer themselves to comply with the legislation.

Theo Watson, commercial attorney, Microsoft: I'm involved in a lot of negotiations with many large corporates and I've found that they are stuck in a 'neutral position'. They don't know what to do; they don't know where to start. The guys that are starting out, however, don't have that legacy scenario. They don't have to fix anything to move forward with PoPi.

Carl Townsend, ovations product lead, Ovations Group: To be fair to them, the dates on the introduction of the regulations have been ambiguous. If you are running a company, you already have a lot on your table. Why should you prepare for something that's 12 months away? A year might not be enough time to prepare for PoPi, but you can understand why panic mode is almost a business model when it comes to preparations.

Varsha Ramesar, managing consultant, EOH Information Services: Small businesses are in a better position than corporates when it comes to preparing for PoPi. Large businesses should treat these preparations as part of their transformation to becoming more digitally oriented businesses.

Rian Schoeman, head of legal, LawTrust.

Many businesses are shifting towards technologies like data analytics and are setting up systems that will manage their data to facilitate this shift to digital.

With this shift already happening, now is the right time to put in place compliance requirements.

Theo Watson, Microsoft: One of the things holding up everything is the setting up of the Information Regulator, an agency that will enforce PoPi compliance. Until it has been set up, we don't know how specific parts of the act will be interpreted. The faster the Information Regulator is set up, the better for everyone.

How far-reaching will PoPi's impact be on business?

Gary Allemann, Master Data Management: PoPi is about a cultural shift. It's about understanding that the person whose data it is has more rights over it than the businesses that have collected and are using the data do.

Theo Watson, commercial attorney, Microsoft.

I lot of the changes to business will be their responsibility and accountability when it comes to data management. I don't believe the intention of the law is to stop using data to conduct business, it's there to stop the abuse of data.

Mark Walker, Associate vice president for Sub-Saharan Africa, International Data Corporation (IDC): if If you don't take PoPi seriously, the worse-case scenario is that you lose your business. The super-worse- case scenario is the CEO ends up in jail. What is the likelihood of these things happening? When you run a business, you work on a thing called 'acceptable risk'. Although there are fines and other sanctions, for many businesses leaders, it comes down to them asking, 'Does this apply to me and can I get away with it?'.

Can someone give us a breakdown on the types of data out there?

Thomas Reisenberge, Legalese: So you get 'personal information' ? details like addresses and ID numbers ? but for more sensitive matters, you get what is called 'special personal information', stuff like health information and political affiliation.

Gary Allemann, MD, Master Data Management.

PoPi requires organisations to get additional consent for more sensitive information like that which falls under `special personal information'.

But figuring out these different levels of consent is tricky because we are still waiting for the Information Regulator to provide regulations on this.

We are in the process of drafting privacy policies, and not having these regulations means we are lacking major pieces of information, which means we are drafting policies as wide as possible. Drafting policies this wide was not the intent of PoPi, but it is allowed under the act.

Marius Coetzee, CEO, Ideco: There are also expectations in the law. In some instances, you don't need to get the consumer's consent. You have to get consent if the data is used for purposes other than what it was collected for.

Bridgette Vermaak, head of IT asset disposal, Xperien.

What I find scary is that there is a lot of consumer data already in the public domain. I can go to a credit bureau, a deeds office and the vehicle licensing department to get data on a consumer.

I don't need the consent of the consumer to use this data, as long as I use it in a legitimately defined purpose.

Theo Watson, Microsoft: What Marius is saying is true, but you also have to understand that what the legislation is trying to do is to give me as the data subject control of my data.

Varsha Ramesar, managing consultant, EOH Information Services.

My data may be in the public domain, but the underlying intention of the legislation is to discover how it got there. If, for example, I sign a security register when entering a building, will that information be used for marketing purposes?

How does South Africa measure up against other jurisdictions that have put in place similar laws?

Bridgette Vermaak, head of IT asset disposal, Xperien: We deal with data at the end of life. We deal with it when it needs to be destroyed. We have practised PoPi-compliant data destruction five years before it was gazetted in South Africa.

Mark Walker, associate vice president for Sub-Saharan Africa, International Data Corporation (IDC).

We have been following European data privacy laws, which are more or less the same as PoPi when it comes to how data is processed, why it is processed and how it's being destroyed.

From what I have seen, South Africa is only looking at the 'why' and 'how' when it comes to data processing. We are not really looking at destruction.

Gary Allemann, Master Data Management: We have seen cases in the UK where businesses have been found out for having poor controls, like sharing passwords with about 40 people.

Marius Coetzee, CEO, Ideco.

The lesson here is that if you run your business properly, these kinds of things won't happen.

Varsha Ramesar, EOH Information Services: If you look at what has happened abroad, they have felt the pain of penalties. From what I've seen, people throw technology at it, hoping they can solve the problem. But what they really need to do is deal with the culture part, which is addressing how people behave, as well the businesses processes and the procedures.

This article was first published in the May 2018 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.