Cybercrime is no longer a rare occurrence. Between 70% and 80% of South African adults have been victims of cybercrime, and it is estimated that cybercrime cost the South African economy approximately R5.8 billion in 2014. Cybercrime comes at an ever-escalating cost to individuals and businesses, and requires clear legislation. This legislation begins with protecting private information that may be vulnerable to cybercrime.
The Protection of Personal Information (POPI) Act constitutes a critical step forward for South African legislation, as it is the first piece of legislation to have the protection of personal information as its core concern.
The POPI Act was signed into law in November 2013 and aims to promote the protection of personal information, which falls under the broader Constitutional right to privacy. It does so through the introduction of minimum requirements to protect personal information by regulating how such information is processed, stored, secured, and ultimately destroyed.
At present, these minimum requirements are not mandatory, which may explain the exponential rise in cybercrime. However, the POPI Act is a crucial component in the overall policy framework to address cybercrime.
Although the trend in cybercrime has only noticeably spiked in the past few years, the POPI Act has been in development for over a decade, having carefully considered the local digital landscape and international best practice. This will not have a positive economic impact in SA, but will assist in facilitating economic trade with nations sensitive about data privacy protection, such as members of the European Union.
Once it is fully implemented, businesses will have one year from commencement to comply with the legislation. Although this period may be sufficient for smaller businesses, larger enterprises, which may be far more complex, could need as much as two to three years to be fully compliant. Getting a head start with compliance activities could prove invaluable to avoid potential fines and possible legal action.
A failure to comply with the POPI Act could expose businesses to fines from the regulator of up to R10 million or, in certain instances of non-compliance, a court sanctioned fine and/or a period of imprisonment of up to 10 years.
Here are a few steps you can take to prepare for the full implementation of the POPI Act.
- Read the Act and understand your responsibilities, as well as the rights of your customers.
- Understand your current level of compliance and determine the steps you need to take to become fully compliant. This includes taking technological and organisational measures to ensure certain minimum standards are met in protecting the integrity and confidentiality of personal information. This will have a different impact on different businesses and budgets.
- Put a plan in place that addresses the total life cycle of personal information in your business, and takes into account the resources and systems required at every touch point.
- Review your employee and third party service provider agreements to ensure that they clearly reflect your obligations in terms of the POPI Act.
- Evaluate whether it would be prudent to purchase cyber liability insurance to manage the risks associated with a breach of security, or the POPI Act.
If you have any questions about the POPI Act in relation to your business, you are welcome to contact us.