The Protection of Personal Information (POPI) Act has been imminent for some years, and was finally signed into law in November 2013. In principle, the business community has welcomed POPI as it brings South African legislation in line with international directives and laws that deal with the thorny issue of data privacy.
“POPI is not just about red tape and new overheads,” says Dr Peter Tobin from IACT-Africa. “It gives South Africa the opportunity to join the international community; to establish our own international competitiveness and to recognise the importance of data privacy. We need POPI because, without it, we will be increasingly left out of the international community.”
In essence, POPI deals with how companies handle their customers’ personal information; ensuring that they take due care in collecting, storing, sharing and destroying it. Tobin says there are many different aspects to the definition of personal information, all of which will need to be clarified once the Act is running. And, while many companies have started overhauling their IT processes in anticipation of POPI, there are many areas where they could still fall short – or fail to recognise there could be an issue.
“To start off with, there are so many different record types: electronic; photographs; documents; fiche; books; film; computers; maps; and other. We are going to have to tighten up our record-keeping if we want to comply with POPI. “Then, in many cases it’s not altogether clear what personal information is. Where does social media fit in? What is the profile we maintain on ourselves, our employees and our customers? And don’t forget, in terms of the Act, a company is a person as well.” Companies also have to consider special requirements.
“There are special considerations including information about children, the rights of data subjects, and the appointment of information officers, electronic direct marketing, trans-border information flows and more. “You need to understand the implications of POPI in your day-today operations as well as for events like direct marketing, call centres and exhibitions.” Once the Act is fully commenced (promulgated) and the Information Regulator set up, companies will have just 12 months to become compliant with the legislation. And companies that don’t comply face the prospect of a fine and possibly even prison sentences for company directors. “There could potentially be fines of up to R10-million and jail time of up to 10 years for executives,” Tobin points out. “Other implications of non-compliance include possible civil damages claims – including class action suits – as well as damage to the company’s reputation, loss of customers and damage to the business.” But there are upsides to compliance as well, he says.
“There is an opportunity for your business to demonstrate good governance,” says Tobin. “And your business could provide market leadership. You need to be doing the right thing – by your staff, customers, suppliers and authorities.” Tobin believes that shop-sa members can take the initiative and lead the industry in terms of compliance. “Chapter 7 of the Act makes provision for codes of conduct,” he says. “shop-sa and its members need to consider how best to use this opportunity to create their own code of conduct for the industry.” Tobin points out that taking action means the association can help to influence the spirit of the law. “If we, as an industry, do nothing, we run the risk that the regulator will decide how to interpret elements of the Act, for instance the issue of destruction. “The second option is for us to take the initiative and decide what makes the most sense and what we think is meant by certain terms and documents. “The association is in a position to make a difference and to make all of our lives a lot easier.”
How Rexel took POPI by the horns
Many companies are still mulling whether they need to change the way they do business as a result of the new Protection of Personal Information Act (POPI). While some have adopted a wait-and see attitude, others have been a bit more proactive. Rexel is a case in point: when POPI was signed into law in 2013, the company set out to find out exactly what implications it held for the business.
Dr Peter Tobin from IACT-Africa describes their action as a “bit of a leap in the dark” as the stationery organisation set out to find out how to adapt its business practices to accommodate the new legislation. To start with, Rexel completed an assessment to gauge its initial level of compliance with the Act. This was followed by an analysis of what personal information processing takes place with the organisation. “Once this was understood, policies were developed to meet the needs of the business and its stakeholders,” says Tobin. “We were then able to design training for each staff member at Rexel that ensures they understand the Act and how it impacts their own job.” The next step, and one that Rexel is already taking, is to make POPI compliance part of the company culture.
“An example is when you take someone’s business card, what do you do with it?” Tobin asks. “If you throw it in the bin you are making a big mistake: according to POPI you need to know where any information goes when you’ve finished with it. “We need to change our thinking about a lot of things.” Even shredding a document might not be sufficiently compliant, Tobin adds. “There are a number of different security standards for shredders and your staff needs to be aware of what they are. You need to think about the personal data contained on things like your old cell phones, photocopiers, fax machines, tablets and USBs among others.”Having worked with Rexel on a POPI plan of action, Tobin says the messaging is starting to emerge in the company’s marketing, giving it an edge as having taken the initiative.
Acknowledgement: this is a shortened version of the article “Personal protection of information starts with you” and was originally published in My Office Magazine, Vol 98, July 2014. http://myofficemagazine.co.za/
This article was submitted by Dr Peter Tobin.