South African businesses are not ready for the looming implementation of the Protection of Personal Information Act (POPI), according to leading auditing firm Grant Thornton.
The POPI Act, which was gazetted in November last year, and which is currently awaiting an effective date, requires widespread reforms that both the private and public sector must introduce to ensure that the personal information and data they collect are protected. The new Act also provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
Michiel Jonker, Director: IT Advisory at Grant Thornton, says that, based on feedback which they had received from the business community, it is clear that most organisations are still not ready to implement the ground-breaking legislation.
“There are many experts such as IT security consultants we deal with every day who say that South Africa is not ready for POPI and that it’s not going to work. They say even some of the big corporate players are at different levels of compliance or not ready to implement it at all,” said Jonker.
Jonker said one of the reasons for this is that South Africa does not have the privacy culture of the more developed countries.
“We see all the time how passwords and the like go unprotected. Security cameras record personal information without securing permission or issuing a warning to those affected. The African continent as a whole is not geared for this level of privacy protection - we’re in survival mode and some believe that we are therefore not in a space to implement this complex legislation yet,” says Jonker.
While POPI has many benefits such as compliance with international standards that could lead to greater investment opportunities, going both sides, the costs of implementing POPI will place significant cost pressures on big business, says Jonker, due to the extra layer of administration that compliance requires.
These costs include the employment of additional specialised personnel, including expensive and highly-skilled privacy officers, the contracting of IT and business auditing service providers; and the need for specialist legal consultants for the review of all existing agreements which the company has with third parties.
In addition to the rising cost of doing business, companies are also faced with the potential of multi-million rand monetary fines, civil claims and reputational damage - if found guilty of POPI transgressions.
Lucien Pierce, legal partner from Phukubje Pierce Masithela Attorneys who collaborates with Grant Thornton on POPI matters and other items, says that the introduction of POPI could lead to significant fines for companies who are found to have had data breaches.
“Take Zurich Insurance as an example. The local subsidiary of the company experienced a data leak in 2008 in which they lost the data of more than 40000 clients when the South African branch of the company lost an unencrypted back-up tape during a routine transfer to a data storage centre. While the implication for the South African subsidiary was minimal, the UK’s Financial Services Authority imposed a 2 million British pounds fine on the UK office of the company due to the POPI-like legislation that was already in place in Europe.
“More recently one could look at Google as another example. The company has been criticised and fined for what European Union member states consider consistent breaches of data protection legislation. While South Africa does not yet have comparable historic data, these case studies are measures and direct comparisons that you could draw between the EU and here,” said Pierce.
Most at risk in South Africa are big corporate organisations dealing with sensitive information, says Jonker, because they will have to prove to the regulatory body that they took appropriate steps to offset any potential data breaches.
“A mom-and-pop shop with a few customers may need to implement basic security, but a huge medical aid entity with thousands of members, dealing with very sensitive information, will need a much bigger team of specialists and advisors,” adds Pierce. “Every business has to prove that they did what the ‘reasonable person’ would have done, considering financial constraints; the sensitivity of the data they collect, process and store; the industry standards and expectations and best practices, generally accepted by the international community.”
Jonker says many of Grant Thornton’s JSE-listed corporate clients have realised the magnitude of the administrative burden that the impending legislation presents and many have started to request assistance or have their own plans in place to ensure compliance once government sets its deadline.
“We’ve had quite a response from our corporate clients who want to be ready when the legislation becomes effective. It’s important to look at this in a global perspective and not in isolation. Any compliance must take into account the prevention of data breaches; the detection of breaches if the preventative measures fail and the ability to repair breaches and affect damage control.”
The cost pressures notwithstanding, Jonker points out the benefits in the long run could be very positive. The international business community, for example in Europe, prefers that South Africa should have privacy legislation in place before doing business. They are forced by their legislation to ensure that their business partners do enforce similar privacy controls.
There are of course alternatives such as binding corporate rules, said Pierce. These are arrangements where the EU authorises intra-group data transfers by multinationals. The approval processes can be quite tedious, so having one all-encompassing piece of information protection legislation that is approved by the EU, makes the transfer of personal information to South Africa much simpler and quicker.
“This brings me to the argument that local dynamic organisations with significant future growth aspirations should see POPI as a business enabler or opportunity. It would eradicate even more barriers erected by international governments for SA executives to successfully embark on doing business internationally.”
The opportunities that POPI creates, however, depend on how well South Africa’s public and private sectors can embrace a culture of privacy.
“Once the culture is right all the other privacy measures will work. We need to start respecting the privacy of personal information. It starts with the tone of top management and filters to the mail room downstairs,” concluded Jonker.