The South African business sector is not ready for the implementation for the Protection of Personal Information Act (POPI), according to auditing firm Grant Thornton.
HumanIPO reported last year Jacob Zuma had signed the POPI bill into law although a final date for its implementation has not been set.
“The act will give effect to the right to privacy, by introducing measures to ensure that the personal information of an individual is safeguarded when it is processed by responsible parties,” presidency spokesman Mac Maharaj said in a statement.
Grant Thornton believes, based on the feedback it has received from the business community, that South African organisations are not ready for the implementation of the new legislation.
“There are many experts such as IT security consultants we deal with every day who say that South Africa is not ready for POPI and that it’s not going to work. They say even some of the big corporate players are at different levels of compliance or not ready to implement it at all,” said Michiel Jonker, director of IT Advisory at Grant Thornton.
Jonker said one of the reasons the country is not ready is due to the lack of privacy culture.
“We see all the time how passwords and the like go unprotected. Security cameras record personal information without securing permission or issuing a warning to those affected.
The African continent as a whole is not geared for this level of privacy protection – we’re in survival mode and some believe that we are therefore not in a space to implement this complex legislation yet,” he said.
Lucien Pierce, legal partner from Phukubje Pierce Masithela Attorneys said the introduction of POPI could lead to significant fines for companies who are found to have had data breaches.
“Take Zurich Insurance as an example. The local subsidiary of the company experienced a data leak in 2008 in which they lost the data of more than 40000 clients when the South African branch of the company lost an unencrypted back-up tape during a routine transfer to a data storage centre. While the implication for the South African subsidiary was minimal, the UK’s Financial Services Authority imposed a 2 million British pounds fine on the UK office of the company due to the POPI-like legislation that was already in place in Europe.
The Independent Communications Authority of South Africa (ICASA) has the authority to issue fines of up to ZAR10 million (US$967,500) or prison sentences to those who do not comply with the new regulations.
Image courtesy of Shuttershock