The purpose of the PoPI Act is to ensure that all institutions conduct themselves in a responsible manner when processing, collecting, and sharing private information, whether an individual or an entity.

The crux is that the Act will hold institutions accountable if personal information is compromised or abused. This is why it is critical for companies to address the issues with a sense of urgency.

For companies that store or process data within the EU, additional legislation awaits them in 2018. The General Data Protection Regulation (GDPR) becomes enforceable on Friday, 25 May 2018 and carries far more severe penalties for non-compliance.

GDPR is a significant change in privacy law and companies making use of third-party services, or cloud hosting in the EU, need to assess their data footprint within the EU. Compliance with GDPR does not automatically guarantee POPI compliance and vice versa.

The appointment of a chief information security officer (CISO) will be a priority at the start of 2018 and this role will be tasked with PoPI compliance.

The Act makes it compulsory for every company to appoint an information officer that must register with the regulator. Until another individual is appointed as the information officer, the CEO will carry the responsibility. Most CEO’s will be eager to delegate this responsibility to reduce the administrative and compliance burden.

The key duties and responsibilities of information officer include working with the regulator, handling queries, and oversight of the lawful management of personal information.

The appointment of a CISO could also mitigate risks in a world that is rapidly becoming more fraught with cyber-security issues. The bigger challenge here is that the skill set for a CISO will be in great demand. There are not enough candidates with these unique skills and those that do will be in greater demand.

Classification of data is another priority. It is important to understand what personally identifiable information is on file and why it is being stored.

The legislation determines that personally identifiable information is valuable and grants consumers the right of protection, as well as the ability to control the use and disposal of this information. Thus it is important for companies to understand what information they have on file and why.

Lastly, if a security budget has not been addressed already, 2018 is when this will occur. The industry is expected to dedicate more budget to IT, security in particular, with budgets exceeding 2017’s by at least 10 percent.

For more information, visit www.e4.co.za