Local financial services businesses have been urged to wake from their Protection of Personal Information (POPI) Act slumber and begin implementing the changes in data collection, management, processing and storage necessary for compliance. A recent POPI seminar, hosted by Compli-serve and presented by Elizabeth de Stadler of Novation Consulting, revealed that many firms suffered from POPI Act fatigue due to the drawn-out implementation of the legislation. The Act was signed into law in 2014; it took until 2016 for the Information Regulator to be established; and the first regulations only saw the light of day in 2018. But the final push for POPI compliance is now underway.
On your data protection marks…
“President Cyril Ramaphosa’s June 2020 promulgation of most of the outstanding sections of the Act is the starting gun [for our race to compliance], said Richard Rattue, Managing Director at Compli-serve. “The industry now has a 12 month implementation period to ensure full compliance by 30 June 2021”. He observed that larger firms had set out on the compliance journey some time ago; but that smaller firms tended to put off data their protection initiatives due to the perceived cost and complexity. The time for delay is over. “Organisations have a year to bring their activities into line with the legislation,” said De Stadler, before promising to equip seminar attendees with the tools needed to get excited about the Act.
The seminar kicked off with a 15 minute overview of the essential building blocks of the legislation before offering a five step plan to ensure compliance in your advice practice. At the outset we learned that data discipline, as proposed in the legislation, was an underpin for an ethical and profitable business. De Stadler observed that definitions were an important starting point to understand the act, beginning with that of personal information. “If you cannot identify personal information, then you cannot protect it,” she said, before adding that “anything that your advice practice can relate back to a living, identifiable individual is considered personal information”. Personal information can be collected from a diverse universe of data subjects including clients, employees, suppliers, vendors and visitors.
Another important concept is that of the responsible party, or the organisation that is held accountable by the Information Regulator for any POPI Act compliance breaches. Those processing data on behalf of the responsible party could include data operators or data processers, who have fewer legal responsibilities.
How to source, store and use personal information
The POPI Act sets out how you source, store and use the personal information that belongs to the various data subjects that your business interacts with. “The Act is written around eight conditions of lawful processing of information against which you must assess your practice’s processes,” said De Stadler. As the seminar progressed, we realised there was no ‘check box’ shortcut to ensure compliance with the legislation. What is required is that each business makes a careful assessment of its personal information-based business processes to ensure they meet the three critical components of Information Security Management (ISM), namely confidentiality, integrity and access. “Once you have an ISM framework in place you can begin to worry about the information privacy aspects, which determine what you are allowed to do, and how you are allowed to do it,” said De Stadler.
How should financial advisers and short-term insurance brokers go about ensuring POPI Act compliance in their firms? The seminar offered a simple five step plan that will get your business most of the way there. The first step is to create an incident response team within the business, to define and monitor your responses to any POPI-related incidents that might occur. Step 2 is to conduct a Personal Information Impact Assessment (PIIA)to prevent you from introducing new personal data risks to your business.
Circumventing personal data risks
You will not find mention of the PIIA in the legislation; but it was introduced as a requirement in the 2018 regulations to the POPI Act. The regulation requires: “An information officer must … ensure that … a PIIA is done to ensure adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information”. This process must be performed whenever you consider using personal information for a new purpose; when you launch a new product or service; when you expand into other countries; after you implement new software or systems for data processing; and when you share data with outsiders. De Stadler said that it helped to think of the PIIA as an extension of your risk management function, where you continually establish context; then identify, analyse, evaluate and design treatments for risk; while at all times monitoring and reviewing the risk environment.
The third step towards POPI Act compliance is to implement strict access controls to both your physical premises and information technology infrastructure. This is of particular importance against the backdrop of data breaches, many of which result from lax security practices among your employees. Step number four is to review your forms and make sure you have a clear understanding of why you are requesting personal information and how that information will be used. A good ‘rule of thumb’ is to only collect the information you need, which process is made easier by clearly defining your reason for collecting it. And finally, step five, is to have a plan for the rest. “Regulations to the POPI Act require that your information officer, the person within your practice who is responsible for compliance, to develop, implement, monitor and maintain a compliance framework,”. said De Stadler.
The colonoscopy metaphor
The presentation concluded with a list of 10 lessons from seeking POPI Act compliance, which we will share in a future newsletter. We will, however, sign-off, with a quote attributed to journalist Sean Graham, who when commenting on compliance wrote: “Compliance is like a colonoscopy: people may need it, but they do not want it, they do not like it and they certainly do not want to talk about it”.
Writer’s thoughts:
It is impossible to document a comprehensive data compliance strategy in a 1000-word newsletter; but we can console readers with De Stadler’s observation that “90% of organisations will operate under ‘business as usual’ conditions once their POPI plans are in place”. Are you ready of the July 2021 POPI Act compliance deadline? Please comment below, interact with us on Twitter at @fanews_online or email us your thoughts editor@fanews.co.za.
Comment on this post