As we are all aware, or at least should be, the Protection of Personal Information Act, 4 of 2013 (“POPIA”) becomes real in our lives on 1 July 2021 in that the majority of its provisions become effective on that date.
Don’t panic about POPIA
For the last couple of months, it has become very apparent to us that there is a huge amount of panic and confusion about POPIA and what would be expected from businesses in South Africa in terms of compliance. A high level of unfamiliarity, as well as businesses being exploited by certain parties offering “quick fix” POPIA compliance solutions, add to the current state of affairs.
During the next few weeks, we will provide you with a bit more background and comfort regarding POPIA, its application to your business and what you should be doing. Furthermore, we will explore what basic tools Moonstone will be making available to our contracted clients in order to assist you with your journey towards complying with the provisions of POPIA.
POPIA – Eight points to consider
As a starting point, here are a couple of matters to contemplate:
- Every CEO, Managing Director, Managing Member, Sole Proprietor must realise and appreciate that, by law, they will be the designated Information Officer and ultimately responsible for POPIA compliance within their organisation. This is not a responsibility that can be delegated, although the work of becoming compliant and reviewing compliance may be delegated. However, the majority of work will have to be borne by the business itself.
- POPIA compliance is completely different to compliance with financial services regulations. For most of you reading this, your experience with compliance is limited to the compliance obligations placed on you in terms of FAIS and the need to obtain and maintain an FSP license. POPIA has nothing to do with a license or a set of rules, but rather it is a set of principles that every business in South Africa, which processes personal information, must comply with.
- Ignorance will ultimately result in non-compliance. Unfortunately, everyone within a business who deals with personal information (and not only those responsible for compliance) will require some form of training about POPIA and the terminology as well as principles contained therein. Obviously, the level of knowledge required will be dependent on the role/s that the particular individual fulfils within the organisation, but awareness of your duties in terms of POPIA is going to be critical.
- You cannot comply a business. You can only ensure that every process in your business which deals with personal information is compliant (or is at least striving towards compliance). It needs to be noted that processes can only be made compliant if they are in fact “processes”, i.e. these processes should be documented and standardised in your business and followed by the persons involved.
- POPIA is principles-based legislation and there is no set of rules which can be ticked off. The good news is that these principles are driven by the concept of reasonableness. Therefore, the test will be whether your processes were reasonable given your size, risk profile and tolerance, the nature of the personal information you are processing and your attempts to comply.
- You are only compliant until such time as a breach occurs within your organisation. Compliance with POPIA can never be a project which gets ticked off and now you are compliant. It is a journey which will require continuous refinement and improvement. No business can ever say “We are POPIA compliant”. Every time your services change or the products that you offer change, your processes may change and so also your compliance obligations.
- You will need to assign roles and duties within your organisation. The number of roles and duties you assign will again be wholly dependent on your specific business model, or, to put it simply – “what” you do and “how” you do it. Many businesses may actually find that they are already largely compliant, or they may find that they have very limited exposure due to limited processing of personal information. In light of the aforementioned nuances within each organisation’s business model, it is clear that there is simply not an “off the shelf” solution which will find applicability in all cases.
- There is a lot of jargon and terminology. Understanding the terminology will be important in your POPIA journey. Understanding when (and if) a set of information constitutes personal information and whether or not you are processing that information within the allowable parameters will be very important in the months and years to come.
In our future articles we will expand on many of the aspects of POPIA and explain in more detail the points mentioned above. We trust that over the course of these articles you will gain insight and comfort and furthermore be in a position to apply your mind to your business in a constructive manner.
The importance of information security
Remember, POPIA is at its very essence about protection of personal information, and the security of information is absolutely critical to effectively ensure such protection. You can have every thinkable documented process and policy in place, but if your information security (your systems which store the information) is not secure then you will have failed before you have even started. It is time to start thinking about your security, password protocols, policies about who has access to what information, how information is stored and transferred and what information leaves your offices on a daily basis and how this is protected. In our view for many businesses, especially the smaller ones, this way of thinking is going to be the biggest challenge but also the aspect that once addressed will offer the best protection. Investment here will be the first steps for most.
Privacy and protection as part of your business
Remember that all FSPs in South Africa have, since licensing, been subject to regulation regarding data privacy and protection – so really these concepts are not new and by and large FSPs already have a lot of the processes in place. As a financial advisor, you know that the personal information that you have about your clients is very sensitive and therefore you are already safeguarding it.
Lastly – you are not alone. Every business in South Africa which processes personal information needs to comply with POPIA. It will be a journey and nobody will be knocking on your door on July the 1st.