The Popi problem persists, study shows
Survey of SA firms shows less than half are well prepared for Protection of Personal Information Act requirements
There was a moment in the dawning age of the internet when anonymity was a selling point. I guess it still is for the trolls and ne’er-dowells of the online world.
I’m sure there are other legitimate reasons to stay anon, but to a large extent as our worlds migrated online and it became the default platform for business and socialising, our experience of the web became more personal. Myspace planted the seeds, but it was arguably Facebook and Twitter that catapulted us into the era of “verified accounts”, influencers who literally trade on their identity, and identifiable interaction.
Additionally, those who need, store and sell our data looked to servers — on-site, cloud, private or otherwise — in which to keep the nice deep ocean of bytes that constitute our phone numbers, addresses, credit ratings and more.
As we know all too well, though, our personal data is valuable, and there has been a rising movement to protect it through legislation like the EU’s general data protection regulation, and locally the Protection of Personal Information Act (or “Popi” to its friends).
After a solid few decades of giving our data away in exchange for “free” accounts, the primary concern seems to be clawing back some control over who knows what about us, and how they use that information.
After a lengthy drafting period (this saga started with a bill passed in 2009), and an even lengthier consultation and regulatory what-what (the technical term) period, Popi officially commenced on July 1 2020. Organisations were given a year to become compliant before the new authority, the information regulator, could start enforcing the stipulations of the act.
The first half of this year was basically Christmas for compliance providers offering to get your business up to scratch for a fee. And now that we officially live in the time of Popi, we should all be sorted.
Not so quick. Data from information management services company Iron Mountain suggest the Popi problem persists. A survey of SA companies undertaken ahead of July 1 suggests less than half (44%) described themselves as “well prepared” to become compliant in time for the deadline.
The survey, which drew responses from just under 400 organisations, makes it clear that companies fear the fines (45.1% cited this concern) and reputational damage (58.9%) that could come from being noncompliant, but right up there (with 58.2%) was the complexity of sufficiently complying with the act.
This is worsened by the digitally untransformed status of so many companies, and on questions relating to compliance readiness — such as “do you have a compliance officer or processes for deleting? ”— the “ayes” take it, but not by much.
And then (hard talk time) there’s usually a gaping chasm between the policies we have in place for things and the real situation on the ground. So head office may have Popi waxed and the general managers trained. Maybe branch staff have gone through their hour-long training too, but what’s really happening to the Covid-19 registers you’ve filled in at every restaurant, housing complex, court, company or venue for the last year? Who is checking whether these are scanned, or shredded, or folded into paper planes and launched into the ether?
Then there’s the matter of how we are protecting our digital data stores while cyber attack numbers continue to explode.
Earlier in September, we learned that the department of justice was the target of a ransomware attack that had knockon effects for the information regulator, whose own systems became briefly unavailable. It’s not clear precisely what information was compromised in what ways, and what the status of it is now. There have been several such attacks on highprofile local organisations and public service departments in 2021. The attack on Transnet’s IT systems in July is the next obvious one to mention.
TEAM SPORT
All the experts and commentators seem to agree that the volume of attacks is likely to grow, which is the kernel of calls from some quarters to see a global collaboration on the matter of cybersecurity, jumping off the understanding that a piecemeal response is clearly not cutting it.
In April on the World Economic Forum website, the UK National Cyber Security Centre’s
Paul Maddinson wrote: “Cybersecurity is a team sport that is most effectively addressed together, and global collaboration and information-sharing are vital for our communal defence from criminal activity.”
I wholly support the spirit of the Protection of Personal Information Act, but my inner pragmatist remains dubious over just how we are going to wrangle with this personal data beast. I think compliance and fines are a great motivator, but I am less convinced that they have any meaningful effect on the culture of an organisation, or on our own lax attitude to this stuff as a society.
That’s not to suggest I have ready answers, short of trying to walk back decades of social practice and pulling down the scaffolding of contemporary capitalism (because that seems so doable). Having been trained to trade on our data, how can we even begin to walk this back?
I hope some folks smarter and more strategic than I have answers — and I would love to hear them.
WHO IS CHECKING WHETHER THESE ARE SCANNED, SHREDDED, OR FOLDED INTO PAPER PLANES AND LAUNCHED?
ALL THE EXPERTS AND COMMENTATORS SEEM TO AGREE THAT THE VOLUME OF ATTACKS IS LIKELY TO GROW