“Forewarned is forearmed” (wise old proverb)
The Protection of Personal Information Act (POPI) has been in the public domain for several years and has been enacted into law, but its enforcement provisions are not yet in effect. The appointment of a Regulator and the issuing of draft Regulations for public comment, however, indicate that the Act will probably come into effect in 2018. The recent massive database leak may lead to a bit of fast-tracking here.
POPI will require that all personal information (IDs, health records, religion, employment records, sexual orientation etc) must remain confidential and organisations need to identify where this information is held and take steps to protect it.
Although there will be a twelve month grace period (from the date POPI’s enforcement provisions become effective) entities should not underestimate how much work is required to ensure compliance.
The growing trend of hacking of private information will make this task more onerous and additional costs may need to be incurred to ensure that adequate cybersecurity measures are in place.
Small and medium sized businesses (SMEs) will be under greater pressure as they do not have the resources of the larger corporates.
What will you need to do?
You will have to –
Per the draft Regulations (comment has been called for so they could well change):
Penalties for non-compliance are severe – a fine of up to R10m or ten years’ imprisonment.
Don’t forget also the potential cost of being sued by people or organisations whose personal information falls into unauthorised hands or is hacked whilst under your control. Consider for example the possible claims arising from the recent South African database leak compromising the private data of 60 million people. (As a side-note: Check whether any of your email accounts have been compromised here – remember to check all your email addresses, personal as well as business, and seek advice immediately in any doubt.)
It will be critical therefore that you can demonstrate you have shown the necessary preparation and have put in place robust systems to protect personal information.
Start planning for POPI now – it will expose you to huge risk when it kicks in and forewarned really is forearmed!