By Jackie Carroll, MD of Optimi Workplace
The POPI ACT (POPIA)
It’s been over seven years since the Protection of Personal Information (POPI) Act (or POPIA) was first signed into law, but on 1 July 2021 it will come into full effect at last. Business owners who have consistently viewed POPIA as a threat, and who hoped this day would never come, are likely stunned and underprepared. Those who have paid close attention to POPIA, however, and who have all the necessary processes in place, are ready to leverage it for the opportunity it is.
“The principle of protecting personal information has been around for a long time and POPIA is nothing new,” says Dr Peter Tobin, a POPI Act compliance specialist. “But as of July, businesses have to provide evidence of the practices and procedures they have in place. This doesn’t necessarily mean that things need to be done differently; it’s maybe just a matter of formalising best practice.”
Know your threats
One of the greatest myths about POPIA is that the threats are primarily external and unknown. When organisations think of privacy violations they think of malicious hackers half a world away, devising intricate ways to breach complex security systems and access data.
“The reality is that a business’s greatest risk is often its employees,” Tobin explains. “Your employees are dealing with personal information on a daily basis, and huge breaches can take place accidentally and inadvertently, by sending private information to the wrong person, for example. You have to prevent external violations, yes, but you’ve got to start by properly training your staff first.”
As POPIA comes into effect, many businesses may also see a major threat in the regulator, who could implement severe penalties if any contraventions are brought to light. But once again, businesses are just as likely to come under fire from customers who choose to go to the press or take their business elsewhere if their privacy is infringed upon. “This may cause catastrophic reputational and business damage,” Tobin adds. “The regulator is not your only concern.”
Major corporate clients, Tobin reports, are receiving lawyers’ letters from their customers requesting evidence of POPIA compliance. Those that are unable to supply this evidence run the risk of being removed from supplier lists.
Identify your opportunities
Privacy regulations have evolved around the world, and some of the largest international bodies, including the European Union (EU), the Organisation for Economic Co-operation and Development, and the United Nations, are developing new ways to hold their members to account.
The General Data Protection Regulation (GDPR), which came into effect in 2018, paved the way for much of what is now considered best practice, and the GDPR is generally regarded as among the toughest data privacy laws in the world. Businesses located anywhere in the world that target or collect data relating to people in the EU are expected to comply with the GDPR, and face fines into the tens of millions of euros or up to 4% of global turnover if they do not.
The enforcement of the POPI Act in South Africa demonstrates the country’s commitment to data security, and has the potential to improve its reputation as a trading partner. “South Africa is waking up to the fact that POPIA is an opportunity to leverage competition if we get it right,” says Tobin. “Businesses that show POPIA compliance are more likely to earn the respect and loyalty of their customers and to increase their chances of local and international trading and success.”
What you need to know
Complying with POPIA isn’t only a legal imperative, it also makes sound business sense. Local and international pressure to comply with both POPIA and related global standards is only going to intensify, and the penalties are only going to become more severe.
To help individuals and businesses better understand POPI, Media Works in partnership with IACT-Africa is running an online course called POPI Works. This course debunks common myths about the POPI Act and teaches participants about what the act covers, and what their rights and responsibilities are as individuals and companies. The course can be completed anywhere, anytime, using any smart device.
*Subscribe to the Topco Bulletin Newsletter for regular tech updates. Stay in the loop here