The introduction of the Protection of Personal Information (POPI) Act provides consumers with the security and knowledge that their data will only be used for sanctioned purposes. However, this has a significant impact on businesses, which have enjoyed the benefits of mining the data of consumers to add value to their businesses and inform their marketing strategies.
The aspects of the Act that apply to companies are not yet in effect. However, the projected one-year period between enactment and compliance is relatively short, so we advise companies to start their journeys towards compliance as soon as possible.
The Act challenges companies to find a balance between deriving substantial value from client information, while refraining from using this available data in a manner that would be perceived as detrimental to the individual.
The POPI Act introduces data management legislation to which all companies that process personal information must adhere. These principles include making the individual aware of the purposes for which any personal information will be used, and destroying the data after this purpose is achieved. Companies are also responsible for ensuring that the correct safety measures are in place to keep the data confidential and unaltered.
Consumers can also control the status of their data under the Act, requesting deletion of personal information when the data is no longer relevant.
In short, this legislation will require companies that deal with personal information to invest in the best security systems and processes, and employ IT staff members that are familiar with these systems and the legislation.
This highlights an important issue of trust between companies and their employees. Data now has significant value and employees need to be trusted with the level of information to which they are exposed, as well as their ability to honour the POPI Act’s distinction between personal information and special personal information. This latter category includes more sensitive information such as race, religion, criminal records and medical history. These are subject to higher security standards. This means that companies need to ensure that different tiers of data are subject to corresponding tiers of security.
This will likely evolve into the creation of specialist IT positions in larger companies, which deal specifically with POPI compliance. New titles such as privacy officers are already beginning to surface.
Managers in charge of data storage need to look at the Act carefully to ensure that standard practices, some of which may have been in place for many years, do not violate the Act.
For instance, many companies hold data for a set number of years before destroying it. However, the POPI Act instructs companies to get rid of data once it has served the purpose for which it was collected. Businesses need to ensure that they keep all the legal intricacies of the Act in mind when dealing with data. For instance, when a contract with a client ends, it is advisable to keep the data on file for a number of years, in the event of a dispute. However, after this period, the data has to be destroyed in a manner that makes it irretrievable.
Companies may also want to look closer to home in terms of website hosting and compliant software. Local software producers and IT practitioners know the provisions of the Act and can be better positioned to ensure compliance.
In conclusion, the importance of the security of personal data cannot be underestimated and not only to the consumer. Hackers have shown how inventive they are when it comes to accessing personal information. When a company’s database is hacked and this information is made available online, the brand image and trust of that company are easily destroyed.