The Protection of Personal Information bill (POPI) in South Africa will see the introduction of a new role for specialised compliance officers within enterprises, according to Ayanda Dlamini, business development manager of LGR Telecommunications.
HumanIPO reported last month on the vast majority of South African businesses being unprepared for the complications the POPI bill is set to impose on data management.
“The new POPI bill, now being signed into law, ensures the protection of personal information on a level unprecedented in South Africa,” said Dlamini. “The benefits of this new legislation include protection of customer’s rights to privacy and the elevation of South Africa’s standards of data protection to meet world standards.
“As a result, South African business will be in a position to welcome more international businesses willing to work with them because the country has sound data governance framework in place. The harmonised data protection policies will also reduce the risks of sending sensitive data.”
However, Dlamini said there will be no margin for error regarding compliance due to a regulator such as the Independent Communications Authority of South Africa (ICASA) having the authority to issue fines of up to ZAR10 million (US$967,500) or prison sentences.
According to Dlamini, the responsibility lies with the most senior executives of a company because they will be held liable for non compliance, thus it is imperative for senior management to take urgent steps to be compliant with the POPI bill.
“Compliance with POPI will impact a broad spectrum of department and processes from communications with customers, to data capturing and management, to cloud computing and branch interactions,” said Dlamini. “Even internal data – such as that collected and stored by human resources (HR) – will be impacted by the new legislation.”
Dlamini said POPI will affect communications and manual data records in addition to digital data.
It is also important to make clear distinctions between the types of information gathered and stored as well as adhering to the time frames in which certain data must be destroyed.
“In future, formal processes will have to be introduced to manage and secure the flow of data throughout the organisation. Compliance with POPI may require the major revision of multiple processes, in consultation with legal consultants, IT, and management,” said Dlamini.
“Therefore, we will see a need emerging for a project head and liaison between IT, consultants, business divisions and management, which will drive the creation of specialised consulting teams and the role of the personal information protection compliance officer in the enterprise.”
He said the POPI compliance officer will be tasked with assessing the framework of data warehousing and business intelligence (BI), enterprise mobility, and business process management (BPM) regardless of whether the function operates in house or is outsourced.
According to Dlamini, an action plan together with key deliverables must be put in place to deal with the overhaul of processes.
“With the legislation now being passed, South African enterprises can expect to be given only around one year to become compliant. Considering the magnitude of the task at hand, organisations will need to begin their compliance planning now – whether they have allocated budget or not,” said Dlamini.