SA firms have 'completely wrong' approach to POPI

Johannesburg, 29 Aug 2018
Read time 4min 00sec
Many firms will be left scrambling to put together their POPI Act compliance requirements.

Many local companies have a completely wrong approach to preparing for the looming Protection of Personal Information (POPI) Act.

ITWeb GDPR Update 2018

Book your seat today to attend the inaugural ITWeb GDPR Update 2018 in Johannesburg, on 7 November. Experts from across SA businesses will be presenting in mini-workshop format during the one-day, multi-speaker conference. Also on offer is a half-day workshop, presented by Peter Hill, IT Governance Network, and a two-day training course, covering GDPR compliancy: dataflow management with regards to an integrated IT solution. To find out more, go to: http://v2.itweb.co.za/event/itweb/gdpr-update-2018/

This is according to Candice Jackson, managing consultant at risk management firm Mobius Consulting, speaking yesterday at the Information Systems Audit and Control Association conference in Johannesburg.

Discussing the biggest mistakes made by local firms when getting ready for the legislation, Jackson explained that many approach POPI as a compliance exercise rather than an opportunity for behavioural change.

This wrong approach leads to the organisation dumping the POPI responsibility on the legal department and excluding the rest of the business units.

"Organisations simply throw POPI-related responsibilities to their legal teams and don't involve the rest of the business. The entire business should be involved in this process, including the risk teams, IT teams and security teams, who actually conduct everyday business operations.

"The legal team will provide direction, but if organisations leave POPI completely to them, it's going to become a compliance project and they won't get full buy-in from the rest of the company."

POPI attempts to bring SA in line with international standards for the collection, recording and storage of personal information. While the Act was signed into law on 26 November 2013, it is not yet fully operational.

Once implemented, POPI is expected to change the way businesses approach the protection of customer, employee and stakeholder information, through the regulation of how the data is processed.

Another mistake often made by local firms, Jackson pointed out, is that they throw in hi-tech data management solutions in the hope the technology will automatically take care of all the compliance requirements.

"They throw in the technology and adopt a compliance process in efforts to make sure the data is secure, but they forget to think about the day-to-day people who handle this information.

"Employees who deal with data have to actually understand and know what their responsibility is when it comes to collecting, handling, processing, to eventually having to delete that information. People need to fully understand what their responsibility is; therefore the entire behavioural aspect is important over and above just ticking the checkbox."

Roelien Howell, senior managing consultant at Mobius Consulting, explained that companies are struggling to understand what international regulation applies to them.

"Because they operate in SA, most local firms think they don't have to comply with laws from other countries in which they operate. There are many other privacy requirements they often need to take into consideration and GDPR is only one of them."

She advised firms to go through the GDPR compliance checklist, to find out if they are expected to comply and to get an understanding of the complete requirements.

Ill-prepared

Once POPI comes into effect, businesses will be given a grace period of one year to comply. If the Act is not adopted after this time, organisations could face financial penalties of up to R10 million, or a prison sentence of up to 10 years could be imposed.

In terms of preparation for POPI, Howell explained that some industries are ahead, while others are still waiting for the Act to be fully operational before they start their preparations.

"Industries which have always been heavily regulated are ahead in their POPI preparation initiatives. For instance, those in financial services are already complying with an array of privacy requirements and POPI is just one more that they will need to adhere to."

According to a 2016 survey conducted by Ipsos, more than three-fifths of local SMEs and a third of larger organisations believe POPI does not apply to their business.

According to the findings, C-suite executives (70%) are more likely than SMEs (37%) to understand the implications of the POPI Act. One-third (32%) of SMEs said they had no protocol for storing and disposing of confidential data.

An ITWeb online survey, which captured a cross-industry sample of 108 responses, found that half of organisations surveyed admit to being ill-prepared for the implementation of POPI.

It revealed that most respondents were still in the dark about its compliance requirements and are not sure how to adequately prepare.

Howell advised local firms to educate themselves about POPI: "Ignorance will lead to some form of failure, with many firms left scrambling in the last minute to prove compliance."