For years the privacy sword of Damocles hung precariously over South African businesses, threatening severe consequences and penalties for non-compliance with the Protection of Personal Information Act, 2013 (“POPIA”).
Now, nearly a year since it activated in July 2021, organisations are settling into the reality of conducting business in alignment with its regulations and data protection best practices.
While many organisations have placed compliance at the core of operations, there has sadly been a surge in data breaches impacting South African businesses in the same period, creating a climate that is ripe for POPIA enforcement.
The first anniversary of POPIA
POPIA governs the processing of personal information of individuals and juristic entities (“Data Subjects”) by organisations (“Responsible Parties”) in South Africa, regulates the processing of personal information of individuals by organisations from collection, aggregation and usage all the way through to retention and destruction.
Encouragingly, the Information Regulator, empowered to monitor and enforce compliance with the provisions of POPIA, has been active in engaging with organisations that have experienced data breaches over the past 12 to 18 months.
The added scrutiny means organisations must be far more cognisant of how they process personal information, ensuring that their security controls are adequate and effective.
Gateway to international arena
While compliance has historically been viewed as an administrative burden, many organisations now realise that privacy enablement is no longer a ‘nice to have’ but a valuable necessity of being able to do business. In tandem, technology companies are ensuring privacy forms a key part of their offerings.
The role of the Information Officer
The mandatory appointment of an Information Officer in all organisations remains one of the more contentious aspects of POPIA.
Without clear guidance on where this role needs to be positioned, organisations have adopted differing approaches. In practical terms, this is often driven by the size of the organisation, the resources at its disposal and the level maturity of its data protection programme.
Whereas smaller organisations are likely to appoint a multitasker, where the role of Information Officer will be added to the existing headcount in the business, larger arge organisations are more likely to hire a full-time candidate who will be dedicated to the role and oversee a discrete data protection function.
A seat in the boardroom
As more organisations begin to recognise the impact of data protection, both fiscally and reputationally, –privacy has become a business imperative requiring executive input.
This often becomes the preserve of Chief Information Officers, but there is an increased focus on appointing experienced Chief Privacy Officers with specialised skills in ensuring POPIA protocols are followed.
Attention to third parties
One of the biggest challenges for local organisations is the lack of attention to privacy risks associated with third parties. As operators in the POPIA relationship, they must also play their part in preventing security compromises.
It is therefore imperative to consider the reputation of the third party, the maturity of their privacy programme and whether they employ suitably qualified and certified privacy and security personnel to oversee their operations.
A final, overarching component of the compliance journey is ensuring that awareness of data protection obligations and privacy rights permeate all levels of the organisation through regular privacy training.
Privacy training must be regularly conducted, departmental based and appropriate to the organisation.
The adage “privacy is everyone’s responsibility” holds true, which is why organisations must improve accessibility to data privacy practices and ensure all employees are cognisant of the privacy regimes within their organisation. Data protection must become part of the living culture of all organisations.
