The vast majority of South African businesses are unprepared for the complications the Protection of Personal Information (POPI) bill is set to cause for data management, believes Ayanda Dlamini, business development manager of LGR Telecommunications.
POPI aims to better protect the rights of South Africans and will also set the country’s data protection practices in line with international best practice standards. However, POPI also presents some challenges for South African businesses.
“A recent survey by Cibecs business data protection found that only 26 per cent of respondents are actively adjusting their processes and looking for technologies to ensure they comply with POPI,” said Dlamini.
“If businesses are still looking to comply, we can safely assume that the vast majority are unprepared for compliance with the legislation. Usually, companies are given up to a year to comply with new legislation, but considering the scope of this particular bill, a year may not be enough.”
Aiming to prevent negligence in the disclosure of information, the POPI bill’s focus is to change the means by which data is captured, stored, and secured.
The protected data ranges from identification (ID) numbers and contact details to details on religion, education, financial and medical history, biometric data and online identifiers.
“In future, enterprises will have to not only revisit their data storage and security – they will have to overhaul many of their processes in order to ensure compliance,” said Dlamini.
Dlamini said the POPI bill will also impact on enterprises’ internal operations.
“Information previously captured and stored by the HR (Human Resources) department relating to stuff must now be treated more circumspectly,” he said, adding internal business will then have to be amended for compliance assurance.
According to Dlamini, ensuring POPI compliance should not be the sole responsibility of technology. He said meta management tools and data profiling is still not mature enough for complete dependency.
This is because both these technologies may only assist in filtering and the flagging of data for compliance, but only in certain respects and not all aspects.
“Adapting to these new provisions will require careful planning and collaboration from a multidisciplinary team. Now, data management and processes must move beyond the domain of IT, into the legal and risk departments, and must include top management.
“With the potential for penalties imposed by a regulator, in addition to civil suits for non-compliance in the not-too-distant future, enterprises need to turn their attention to POPI now,” said Dlamini.