orangeblock
Menu

Serious as a data breach: Another POPI ‘Call to Arms’

21 January 2021 | Compliance - Regulatory | General | Gareth Stokes

Insurance brokers and financial advisers who collect, process or store client data must invest adequate resources to ensure full compliance with the Protection of Personal Information (POPI) Act or face massive fines. They will have to appoint an information officer and draw up a POPI Plan, among other requirements, to ensure best practice is adhered to, regardless of how data is acquired or shared within the firm. “Personal information, whether it is processed by hand or by automated means such as email, WhatsApp, or Zoom recordings, must comply,” said Rosalind Lake, Director at Norton Rose Fulbright.

Key data protection terms

The presentation, which focused on managing employee data within firms, kicked off with some important concepts and definitions. Lake noted that the South African data protection legislation differed from the European Union’s General Data Protection Regulation (GDPR) in that South Africa’s ‘rights to privacy’ extended to include all persons, natural and juristic. The GDPR applies to natural persons only. 

Each firm is considered under the regulation to be the ‘responsible party’ that must determine how personal data is collected and what happens to that information within the firm. Another important POPI definition is that of an ‘operator’ or third party who is nominated by the responsible party to do something with the firm’s customer data. “The responsible party will have to have a contract with the operator insofar compliance with the privacy provision in the Act,” said Lake. The processing of personal information within a firm, whether that information relates to customers or employees, must comply with the eight principles or minimum requirements introduced in the legislation. 

Non-compliance could attract significant penalties, as illustrated by recent enforcement actions taken by information regulators in various EU countries. The UK regulation recently fined Marriott International €20.450 million for having ‘insufficient technical and organisational measures to ensure information security’. And it fined British Airways €22.046 million for a similar transgression. H&M, a multi-national retailer, ran afoul of the German regulator for having ‘insufficient legal basis for data processing’ and was fined €35.258 million. 

South African firms should take careful note of how seriously the EU regulators are taking their data protection roles. Each of the aforementioned fines were issued in October 2020. And research by DLA Piper points to more than 160 921 data breaches within the EEA region between May 2018 and January 2020, with a running total of around €220 million in fines for GDPR contraventions. 

Is this the future of POPI enforcement?

The reasons given for the fines could easily repeat domestically. “H&M was fined for storing unnecessary information about its employees while, in the Netherlands, a firm was fined for scanning biometric data without illustrating an exceptional basis for the use of this data,” said Lake. She observed that a data subject, the person whose data is collected, processed or stored, did not have to prove that a firm was negligent or otherwise at fault in the application of this data. All that is necessary for the responsible party to be liable for a loss is for the data subject to show that harm was caused by unauthorised processing of their information. 

We shared five steps to prepare a firm for full POPI compliance in a recent newsletter titled ‘Shrug off your POPI fatigue’. Step one is to create an incident response team within your business; step two is to conduct a Personal Information Impact Assessment (PIIA); step three is to implement strict access controls to both your physical premises and your information technology infrastructure; step four is to review your forms and make sure you have a clear understanding of why you are requesting personal information and how that information will be used; and step five is to have a plan for the rest of the Act’s requirements. 

Norton Rose Fulbright drew our attention to another important requirement of the legislation, being the need to ensure that you consider your employees’ information alongside that of your customers’ and potential customers’. “An employer has the obligation to take steps to ensure POPI is complied with, not only with regards its employees, but also information related to recruitment processes,” said Jason Whyte, employment and labour law lawyer at Norton Rose Fulbright, Cape Town. Firms must consider their compliance approach to recruitment-related personal information whether sourced via an official recruitment process or through unofficial approaches by potential hires. “The information may have been given voluntarily; but you must process that information appropriately; personal information cannot be retained longer than necessary for serving its purpose,” he said. 

How should insurance brokers and financial advisers prepare their practices for POPI compliance? There was plenty of advice on offer, including drawing up a project plan; identifying compliance gaps; determining which data processes introduce the greatest risk to your business; and developing internal and external data policies. Lake concluded that there was no ‘one size fits all’ approach to the protection of personal information. “Your business will have to carry out a detailed analysis to understand why you are processing information, where you are getting it from, where you are sending it to and whether you have operators that might require contracts,” she said. Once this exercise is completed you can focus on identifying and plugging any compliance ‘gaps’. 

A final warning was that your firm’s information officer has a “positive duty to implement a compliance programme and a monitoring programme to ensure that the POPI is complied with”. An information officer, often the CEO, may delegate his or her POPI responsibilities to another employee; but remains overall accountable for compliance. This explains why the person you appoint as information officer must have power to implement actions throughout the firm. 

Writer’s thoughts:
One of our concerns with data privacy and data protection regulation is the apparent subjectivity of certain of its requirements. It is possible, for example, that two companies that collect, process and store data in an identical manner could have different outcomes insofar POPI compliance based on the reason for collecting that data. Has your company identified an information officer to navigate the complexities of POPI compliance? Please comment below, interact with us on Twitter at @fanews_online or email us your thoughts editor@fanews.co.za.

Comments

Added by Paul , 21 Jan 2021
Why not start by getting rid of all IT,then get rid of beaurocracies that try and control it and then leave us the hell alone.
Just a suggestion.
Report Abuse

Comment on this Post

Name*

Email Address*

Comment*

 

Submit Comment
quick poll
Question

“I don’t need your financial or risk advice, I am quite capable of doing this myself”. How do you respond to this boast by a prospective client?

Answer
View the Results arrow
FAnews June 2025
THE LATEST EDITION FANEWS MAGAZINE
  • Hospitality sector: brokers must exceed basics to manage unique risks
  • Breaking up: what restraint of trade means for brokers
  • Reimagining insurance through simplicity
  • Beyond compliance: keeping values alive in a regulated world
  • Can AI evidence hold up in SA courts?
  • Navigating uncertainty in financial decisions
Products & Services
Useful Links
Important Links
Jobs

© FAnews | Privacy Policy | Site Map | Website Design by Online Innovations