Compliance with data protection and privacy legislation goes beyond regulatory compliance; it's about protecting your organisation's reputation and people's right to privacy.
Personal data is a commodity that is often sold to data brokers. Whether people are using navigation services, adding their details to a COVID-19 registry or using biometric access systems, they are sharing personal information and it needs to be protected.
Data breaches could have devastating consequences. For an individual whose data was stolen, it could result in them having to change passwords frequently, enact credit freezes, conduct identity monitoring and possibly being defrauded.
For a business, it could negatively impact a business's reputation through the loss of brand value, loss of trust and potential financial losses.
The motive behind GDPR is to standardise privacy laws across Europe and protect citizens' right to privacy. It is reshaping the way data is handled across every sector.
The GDPR applies to any company that stored or processed personal information about EU citizens. If your business offers goods and / or services to citizens in the EU, then you will have to consider GDPR compliance.
Furthermore, businesses will need to comply with GDPR even if they do not
have a business presence in the EU but do business with EU citizens. South African businesses are urged to examine GDPR in relation to their business operations to determine the applicability of the regulations.
Non-compliance with the GDPR could result in penalties which could be a costly mistake for businesses. POPI, which aligns with best practice legislation such as GDPR, commenced on in 2020 and allows for a 12-month grace period until the end of June 2021 for organisations to comply.
POPI aims to protect personal information processed by public and private bodies, set conditions or guidelines on how personal information should be processed, issue codes of conduct to regulate certain industries and how they manage personal information and provide for the rights of persons regarding direct marketing.
The Information Regulator is tasked with monitoring and enforcement. While POPI made provision for fines of up to R10-million and up to 10 years' jail time, enforcement would likely start with a notice of non-compliance issued by the Information Regulator and that time would likely be allowed for any non-compliance to be rectified.
It is important for organisations to understand what was meant by personal information and processing. Almost all South African businesses keep information about staff and customers and very few will be exempt from POPI.
POPI will apply to any personal information that can be traced back to an individual, including photos. Non-compliance could be raised by a breach, in an audit by the Information Regulator, or in a civil case.
Organisations need to become aware of the penalties, as well as the risks of reputational damage and losing customers and employees. Organisations should move now to become compliant with POPI and other best practice data protection and privacy laws.
The roadmap to compliance should start with the appointment of an information officer and / or a POPI Committee, and then go on to analyse all data processing activities within the organisation. Businesses must consider all facets of data processing in all divisions and all departments.
Organisations also had to train relevant staff on the act. Awareness is important because it brings about a culture shift. There was also a great need for businesses to ensure that its principles were integrated into contracts, procedures and terms and conditions.
For more information, visit www.iitpsa.org.za