As it stands now, POPI could cripple the small business community our economy is based on. Kevin Phillips elaborates
The Protection of Personal Information Act, generally known as POPI, regulates how anyone with access to personal information must collect, manage, store, secure, share and even dispose of it. POPI has been in the works for a decade and is a solid piece of legislation drafted with the very best of intentions to protect the privacy rights of South African citizens and businesses, as well as bringing South Africa in line with international privacy standards – and the ramifications of non-compliance are serious.
Everybody can see the benefits of the Act and admires the work that has gone into it, but there is also consensus that there are potentially some serious issues to be faced in the implementation. The infrastructure is simply not in place to allow full compliance.
Signed into law and gazetted in November 2013, several parts of the law came into effect on 11 April 2014. The consequences of transgression range from multi-million rand fines to civil claims and reputational damage to up to ten years in jail.
Thus far, discussions have focused on the effect of the limited timelines and substantial costs on large corporates. A year is not a long time to hire specialised staff, privacy officers, auditing service providers to review your IT and business procedures, to bring in legal consultants to review and rewrite all your policies, procedures and contracts; and then to take it further in retraining and re-contracting every staff member or service provider that might have access to personal information at any level.
The cost of this whole process, in time and money, could hurt a business of any size, and that isn’t beginning to take into account the penalties they face should they not get every detail right before the deadline kicks in.
I fear that smaller businesses should be of greater concern to everybody although the large corporates may technically deal directly with more personal information than the average SME, particularly in the banking, insurance or retail industries.
A large number of IT and software companies are small businesses and almost every business deals with them at some point. A small software company may have several large clients from a number of different industries and as long as they maintain the system in that company, whether it is local or cloud based, they potentially have access to all the personal information of each of those clients.
This is why the Act accounts for “operators”. An operator is any person who processes personal information for a “responsible party” (the main subject of the legal requirement) but doesn’t work for that party; essentially a vendor or service provider.
The Act reiterates that these operators are bound by the confidentiality in their established contracts and can only process the information as authorised by the responsible party. But then comes the tricky part, Chapter 3, Condition 7, section 21(1) says: “A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to …” (in an earlier part of the Act).
This seems innocent enough, except there is no clear standard as to how a corporation or responsible party has to meet the security requirements. “Taking appropriate, reasonable technical and organisational measures” is far too broad and creates an “every man for himself” mentality where every organisation decides on his idea of reasonable measures and then forces his suppliers into following them too.
Simply put – if Big Corporate A sets an internal protocol that says all data is to be password protected and the password must be at least eight characters long with at least one capital letter, one number and one symbol and this password has to be changed every three days, IT Vendor X has to apply that same protocol to his own company if he wants to continue to provide his services to Big Corporate A. Then Big Corporate B, another client of IT Vendor X, has decided to use a fingerprint scanner to secure access to their data, along with a four-digit code that has to be changed weekly. What does IT Vendor X do now?
It is difficult to incorporate both of these requirements into their own systems; add another ten clients with different protocols and it becomes impossible. Even one particularly complex protocol could be prohibitive for a small company who doesn’t necessarily have the expensive security systems in place that his much wealthier client does and he cannot afford to invest the time and money into updating every workstation password in his office every few days. What is reasonable for the responsible party may be completely unreasonable for the operator.
It is important to remember that IT Vendor X is directly affected by the Act as he no doubt has at least some of the personal information of his employees and clients; so he will have already had to invest financially in all the same items as the large corporates, though perhaps on a smaller scale.
It also seems inevitable that agencies will be established to provide independent verification that certain minimum standards are maintained, similar to those that assess BEE compliance. Once established, large corporates will no doubt make it mandatory to be certified this way to remain on vendor lists, as they do with BEE certification. This will create yet more red tape and another financial burden on the SME owner. Then again, at least there would be some consistency of expectation. This will take some time to establish and set up, so what happens between now and then?
THE BOTTOM LINE
POPI has the potential to be one of the best pieces of legislation created in years, protecting our rights and creating new opportunities for international expansion; but as it stands now it could cripple the small business community our economy is based on. The details need to be fine-tuned; creating clear and consistent protocols at all levels instead of a free-for-all approach before the Act can come into its own.
Author: Kevin Phillips CA(SA) is MD of idu Software