During the ISPA iWeek 2015, we were able to attend a superb briefing on what the Protection of Personal Information Act means for the local Internet industry. Among the insights received were the effects that POPI would have on the industry, and how entities need to respond to ensure they become and remain compliant.
A key issue with POPI will be timing. The difficulty of compliancy scales with size of an organisation, as well as with the volume, complexity and distribution of the data containing personal information. From the date of commencement (still to be announced by the President at the time of writing), data holders and processers have a year to ensure compliancy. While this can be extended by up to a further two years upon successful application to the to-be-appointed Regulator, this kind of compliancy is comparatively new to SA entities and may prove to be a challenge for both implementation and a change in mind-set.
The Internet industry, and Internet Service Providers in particular, need to understand that the application of POPI is a blanket requirement with an implementation reach wider than expected. For example, since POPI deals with both the storage and processing of personal data, it would also include company-specific information relating to individuals. Any implementation plan would need to take this into consideration.
Adopting from a model that is similar to the one used in the United Kingdom’s Data Protection Act implementations, the best-practise approach for implementation is to appoint an individual in each department or division of an organisation to deal with POPI requirements. This approach has a double objective: allowing each department to function independently and self-regulate the POPI processes, and at the same time mitigating the need for all POPI interaction to be facilitated by the Legal department or similar entity.
Building on the appointment of individuals, the designated people dealing with POPI become, in effect, compliancy officers. Their added tasks would be imparting knowledge and training, taking on the responsibilities of compliancy, and ensuring they keep up to date with legislation and auditing requirements. Compliancy officers can additionally choose to follow a career path that becomes based on keeping companies’ processes in line with POPI. The potential exists for the development of education, training, applications and direct job opportunities related to POPI compliancy.
While compliancy is a lengthy process, there are mechanisms to enable and promote its success. After examining the efficacy of models used to bring about similar compliancy across the European Union, it has been determined that the most effective model is to allow entities to volunteer for both compliancy assistance and for being audited to ensure correct adherence. Prior to this, however, entities should take the initiative and develop both training and implementation procedures internally before the POPI is signed, putting themselves at a significant advantage when it becomes a requirement. Finally, it is recommended to develop a strong POPI-focused rapport with both the Regulator and associated industry bodies, to establish communication channels that may be used to resolve potential POPI queries and issues.
Finally, some vital aspects pertaining to organisations’ codes of conduct need to be raised. Companies may well want to bear these in mind, as they will not only form the framework around which conduct rules are adjusted, but will also need to be spread into the company culture for all employees to be aware of and comply with. Of particular note are the security safeguards for personal data, issues with the information on children (as a vulnerable group), aspects dealing with prior authorisation of data use, and the matter of direct marketing to consumers. Addressing these concerns should become a priority for those altering their codes of conduct to promote POPI success.
To quote the session’s speaker: “If your client is going to be surprised by what you do with their data, it’s a good indication that something is wrong on your side”.
The author attended this briefing session as part of the Adept team sent to ISPA’s iWeek 2015.
The speaker, Paul Esselaar of Esselaar Attorneys, is also a co-founder of Novation Consulting, an entity self-tasked with making legal issues comprehensible for the public. He literally wrote the book on POPI with “A Guide to the Protection of Personal Information Act” along with co-author Elizabeth de Stadler. We thank him for the information shared, which led to the majority of the insights presented herein.