D-Day is fast approaching
With only a few months to go before the Protection of Personal Information Act (POPIA) comes into full force, D-day is fast approaching and companies have a limited amount of time left in order to comply with the requirements.
FAnews spoke to Magda Lombard, Senior Legal Adviser at the Sanlam Group about their strategies going forward, what has been challenging, what positives and negatives they foresee in the near future, with some practical suggestions.
Setting the scene
According to Lombard, Sanlam, being in the financial services industry and very well-aware of the critical importance to safeguard their clients’ personal information (PI), commenced with its preparations for the process of complying with POPIA as early as 2012, with a centrally coordinated and currently fairly well-advanced Privacy Protection Project, in continuous collaboration with all its businesses. It followed a structured approach by starting to identify and assess the type and extent of PI collected, processed or used in its business activities and processes, applications and systems.
“Thereafter, part of the preparation process was assessing Sanlam’s business model, strategy and governance capabilities, designing a group wide target operating model, and conducting an analysis of the national and international privacy legal landscape. A high level impact study and a group wide gap analysis is still being conducted within the group, establishing the impact, measures and adjustments to be implemented. The process has however been delayed due to the dependency on the effective date of POPIA, the Regulations which would be setting out more detailed compliance requirements and any potential industry code issued by the Regulator,” said Lombard.
A long road ahead
According to Lombard, this assessment of adherence (group wide gap analysis) is still in the process of being conducted within Sanlam’s full operational environment; to compare actual with desired performance and to ascertain adherence to the conditions for lawful processing of PI throughout its lifecycle. This includes in particular certain specific requirements like legal basis, purpose specification, limitation, consent frameworks, incident management, information quality control and security specifications, which is a vast undertaking.
In looking at what has been challenging about the process, Lombard emphasised that, “Understanding and monitoring the use of PI within the context of legitimate business purposes, mapping activities, managing the lawful processing of PI throughout its lifecycle, identifying all the risks associated with the protection of PI to protect PI against unauthorised access and use, is a challenging and time consuming process. “
Seeking out positives from negatives
The adoption and enactment of POPIA, according to Lombard, is an important milestone in the protection of PI in South Africa, which in the past mainly relied on its Constitution.
“It will however require a significant amount of time, resources and effort to prepare for compliance with the myriad of information privacy legal requirements set by POPIA. Also, implementing POPIA is expected to place significant cost pressures on organisations of all sizes, due to the magnitude of the administrative burden that the impending legislation presents,” continued Lombard.
“Costs could include system, control and process changes and the employment of additional resources/service providers like IT, business and legal consultants/specialists. It is also important for both the public and private sectors to embrace a culture of privacy; once the culture is right all the other privacy measures will follow. Implementation plans are furthermore being hampered by the dependency on the Regulations and potential industry codes,” said Lombard.
Despite this, Lombard emphasised that Sanlam is however committed to ensure that the PI of its customers, employees and business partners is at all times processed fairly, lawfully and securely.
The clock is ticking
Lombard suggested the following, “Do not wait for the clock to start ticking and for the Act to become fully operative before you seriously start commencing your preparations to become compliant: the one-year grace period is not long enough.”
“With some degree of urgency, I would suggest starting to assess the impact of POPIA on your particular organisation, do a POPIA risk assessment of your businesses and controls and decide on a firm strategy to follow. Prepare a project plan and road map with time lines, get the relevant people on board, raise awareness within your entire organization, and very important: brief your executives,” concluded Lombard.
Editor’s Thoughts:
Although challenging and a time consuming process, as Lombard emphasised, do not wait for the clock to start ticking because non-compliance may bear severe consequences. Have you commenced with preparations for the process? What has been challenging and what suggestions do you have? Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts myra@fanews.co.za.
