During the ISPA iWeek 2015, we were able to attend a superb briefing on what the Protection of Personal Information Act means for the local Internet industry. Among the insights received were the effects that POPI would have on the industry, and how entities need to respond to ensure they become and remain compliant.
A key issue with POPI will be timing. The difficulty of compliance scales with size of an organisation, as well as with the volume, complexity and distribution of the data containing personal information. From the date of commencement (still to be announced by the President at the time of writing), data holders and processors have a year to ensure compliance. While this can be extended by up to a further two years upon successful application to the to-be-appointed Regulator, this kind of compliance is comparatively new to SA entities and may prove to be a challenge for both implementation and a change in mind-set.
The Internet industry, and Internet Service Providers in particular, need to understand this. The application of POPI is a blanket requirement with an implementation reach wider than expected. For example, POPI deals with both the storage and processing of personal data. It would thus also include company-specific information relating to individuals. Any implementation plan would need to take this into consideration.
Adopting from a model that is similar to the one used in the United Kingdom’s Data Protection Act implementations, the best-practise approach for implementation is to appoint an individual in each department or division of an organisation to deal with POPI requirements. This approach has a double objective. It allows each department to function independently and self-regulate the POPI processes. Furthermore, it mitigates the need for all POPI interaction, as facilitated by the Legal department or similar entity.
Building on the appointment of individuals, the designated people dealing with POPI become, in effect, compliance officers. Their added tasks would be imparting knowledge and training, taking on the responsibilities of compliance, and ensuring they keep up to date with legislation and auditing requirements. Compliance officers can additionally choose to follow a career path based on keeping companies’ processes in line with POPI. The potential exists for the development of education, training, applications and direct job opportunities related to POPI compliance.
While this is a lengthy process, there are mechanisms to enable and promote its success. After examining the efficacy of models which brought about similar compliance across the European Union, the most effective model is allowing entities to volunteer for both compliance assistance and auditing to ensure correct adherence. Prior to this, however, entities should take the initiative. Develop both training and implementation procedures internally before the POPI act is official. This will put you at a significant advantage when it becomes a requirement. Finally, develop a strong POPI-focused rapport with both the Regulator and associated industry bodies. This helps establish communication channels that used to resolve potential POPI queries and issues.
Finally, some vital aspects pertaining to organisations’ codes of conduct need raising. Companies should bear these in mind. They will form the framework around which one adjusts conduct rules. Additionally, they will also need spreading into the company culture for all employees’ awareness and compliance. Of particular note are the security safeguards for personal data, issues with the information on children (as a vulnerable group), aspects dealing with prior authorisation of data use, and the matter of direct marketing to consumers. Addressing these concerns should become a priority for those altering their codes of conduct to promote POPI success.
To quote the session’s speaker: “If your client is going to be surprised by what you do with their data, it’s a good indication that something is wrong on your side”.
The author attended this briefing session as part of the Adept team sent to ISPA’s iWeek 2015.
The speaker, Paul Esselaar of Esselaar Attorneys, is a co-founder of Novation Consulting. This is an entity self-tasked with making legal issues comprehensible for the public. He literally wrote the book on POPI. “A Guide to the Protection of Personal Information Act” along with co-author Elizabeth de Stadler. We thank him for the information shared, which led to the majority of the insights presented herein.