Time to start thinking about Popi compliance
Still no clarity on the deadline
ALTHOUGH a significant number of companies have already started implementing the Protection of Personal Information (Popi) regulations, there is no clarity yet as to when the deadline to be compliant will come into effect.
According to Simone Dickson, director in the technology and sourcing practice at Cliffe Dekker Hofmeyr, recent research from IT security specialists, Sophos, showed that only 34 percent of organisations would be ready to meet the Popi requirements once the act comes into effect.
Dickson said initially there were indications that the act would become effective within the course of this year but as this is an election year the process could be faced with further delays. She said the purpose of Popi in South Africa is that the country needs to get aligned to international standards as it is currently a global focus point.
“Because of the risk of data breach and prolific data hacks that there have been around the world, there has been much news about it, so we definitely need to get to a state where we are compliant with international standards to ensure that it would just enhance business relations, it will make it easier for us to conclude contracts with foreign investors and so on and for them to know that their data will be protected,” said Dickson.
She said the whole purpose of Popi is to protect the privacy of personal information but it is not intended to hamper free flow of information.
“It is more looking at governing the measures that you put in place and making sure that information is not abused and used, but it is still recognised that you need information to conduct your everyday business,” she said.
Regarding cybercrime, Dickson said it goes further than just a Popi issue.
“At the very least, if you’ve got your fundamentals in place to protect personal information it is at least a means of making sure that there is governance in place to prevent cybercrime and then awareness, and also penalties which apply should you not be compliant,” she said.
Dickson said that it was also about awareness and being careful of what information was being shared.
“Because Popi makes sure that you have to look at your security standards and procedures, that also serves to looking that your cybercrime risk is minimised because you’ve looked at your system to check what the chances are of a data breach here.
“You can’t just do it once off, you have to do it regularly to make sure that it is maintained because with data breaches these guys are clever and they are coming out with new ideas at every step,” said Dickson. She added that there are very few companies that are currently fully compliant.
“Compliance is massive, because legislation is so extensive – that’s why we are definitely encouraging organisations to get their compliance ready, to start looking at gaps and to just get cracking on this because it is a very big exercise, depending on the size of your business and the types of data you require. Primarily financial institutions are quite ahead of the curve because they have duties of secrecy and confidentiality critical to them so I think it is pertinent to their business and it is going to affect everybody,” she said.
Dickson said that once Popi becomes effective, there will still be a window period of about a year in order to give companies time to comply.