The cat is out the bag, The Information Regulator has issued guidance and companies are scrambling to get compliant by the 30 June.
The problem is that nobody really knows what compliance means. Until we see the outcomes of complaints and subsequent rulings by the Information Regulator, we won’t know what steps South African corporates will need to take to be fully compliant and not at risk of fines.
This article contains a few of our comments, gripes and straight speculation on all things POPI.
Firstly, as a principle, in the modern world we live in, there is no doubt the principle of POPI is important. Our data and how it should be used should be protected.
The problems as they relate to this protection and POPI in our view are:
- No systems or processes can protect against individual human intervention. Individual companies are not security experts nor are they like the CIA or NSA able to put in place measures to stop individual employees from walking out with valuable data. It is naïve to think otherwise. Human error will remain the single biggest risk for POPI compliance and we hope the Information will be pragmatic in reviewing the steps taken by companies to protect the exposure of personal data by users.
- There has been an escalation in malicious external attacks (phishing, ransomware) in the past few years. Even large organisations have become victims. It is not practical to assume that companies will be able to put in place protective measures against these attacks. They will occur. What will the benchmark for negligence be when it comes to the Information Regulator reviewing the leaking of data in these circumstances? Ironically it is also the countries without these data protection laws from which most of the attacks originate.
- The potential burden of compliance is massive. Larger companies are following the example of US and European standards and implementing checklists and processes and controls for all data touchpoints. Even for larger corporates there is the risk of the tail wagging the dog. How more so for smaller companies who don’t have the skills or resources to follow the same compliance protocols. Does this have the potential to negatively impact competition, making it easier for large corporates to dominate?
- The Information Regulators requirements to register an Information Officer apply to all companies, including subsidiaries. This means that some bigger corporates may have hundreds of registrations. Is this really feasible to try and aim the rules at individual companies? Not only will it swamp the Regulator, but it may also mean that when they try and investigate a complaint they will probably have to wade through the whole corporate structure to try work out where the responsibility for that data should really lie. How do you also compensate your employees for potential criminal charges for non-compliance where they are implicated by an investigation they are unaware of, because of a complex group structure?
- For cross border activities and sharing of data, are we creating a situation where we restrict the use of international tools because we can’t confirm where the data sits or how it is processed?
- The rules for Prior Authorisation where it comes to Unique Identifiers is in our view very vague and could capture far too many activities into its net. How broad can one argue the concept of “intended purpose”? does this need to be specific? This one paragraph is a potential minefield…for interest the specific paragraph is reproduced below…
“In accordance with section 58(1) of POPIA and subject to section 57(3) of POPIA, the responsible party must notify the Regulator that he, she or it is processing or intends to process any of the following personal information, as referred to in section 57(1) of POPIA3.1.1. Unique identifiers of data subjects for a purpose other than the one for which the identifier was specifically intended at collection; and with the aim of linking the information together with information processed
by other responsible parties;
Examples of unique identifier are, amongst others- Bank Account Numbers or any account number; Policy Number; Identity Number; Employee Number; Student Number; Telephone or cell phone number; or Reference Number.”
We know how hard it has been for some of our clients. It is difficult to get pragmatic advisors because the advisors are themselves worried they face push back if they don’t do a belts and braces approach. There is just too much uncertainty.
In the interim, we would suggest do your best to be compliant. At the very least do the following (and no we don’t warrant this will make you compliant):
- Read the guidance on the Information Regulator’s website
- Register your information officer and any deputies for each of your companies on the same website
- Do a risk assessment (be sure to include all personal data touchpoints, where the data is stored, how it is used and how it is communicated both internally and externally). Don’t forget to include your full IT environment in this risk assessment (servers, websites, email, use of storage media… it is a long list)
- Put in place a plan to address risk areas over time
- Prepare an internal code of conduct and policy
- Prepare a letter you are comfortable going out to third parties explaining your processes including the process for somebody to request what data you have on them and how to request deletion
- Review all your contracts and make sure you have permission to process data for the intended purposes
- Send communication to all entities who process on your behalf or who you send data to and make sure you get some comfort they are compliant
- Put in place staff training
- Check whether you need Prior Authorisation for any of your activities. Remember if you need it and don’t have it you have to theoretically stop doing it.
Good luck to all of you.