Businesses warned to better protect personal information

Businesses warned to better protect personal information

Huge price to pay if non-compliance uncovered

By Ted Keenan - 21 May 2021

BEWARE CRACKDOWN: Melanie Coetzee, of East London legal firm Bax Kaplan Russell Inc, says non-compliance with the Protection of Personal Information Act could cost up to R10m or ten years in prison.

What seems to have taken forever, is now just over a month away: The Protection of Personal Information Act (Popia), first promulgated in 2013, comes into effect on July 1.

Companies slow off the compliance starting grid could face draconian penalties.

Melanie Coetzee, of East London legal firm Bax Kaplan Russell Inc, who is based at the firm’s Cape Town office, said non-compliance could cost up to R10m or ten years in prison. The question, she said, is will the regulator bare its teeth?

“There are similarities between Popia and the Consumer Protection Act. I can’t predict the enforcement outcome. However, while R10m seems like a lot, it is small change compared to the European penalties.”

Zaakir Mohamed, corporate investigations and forensics lawyer at international law firm CMS SA, said: “The penalties show how seriously the legislation is viewed by the Department of Justice, under whose auspices the Information Regulator [IR] falls. Users of personal information should review whether they comply with the act.”

He said every company had to have an information officer (IO), who is deemed to be the most senior person in the firm, until any senior executive is given the IO role. However, the CEO or MD retains the accountability and responsibility.

Coetzee said while there was no rule against outsourcing the IO, perhaps to a legal or auditing firm, it was not a task that she would undertake.

Mohamed said Popia regulated how the personal information of both individuals and juristic entities was processed. This inevitably included the personal information of an organisation’s clients and employees.

“As a result, it affects virtually every department in businesses — in particular, the sales, marketing, human resources and IT departments. There is no one-size-fits-all solution for Popia compliance, because the exact steps are different for each company and depend on the specific business as well as the systems and processes that are already in place.”

Coetzee said there were several high-profile incidents in the spotlight, including Virgin Active, Nam Khoi (the municipality in Northern Cape province) and Seeff data breaches.

“Firms that are apathetic to Popia, hoping it will go away, will find themselves in serious trouble if they are hacked. I encourage all companies to have a serious look at their systems.

“With more than six billion internet users there are hacks every 39 seconds. People are tired of direct marketing and Popia offers them the chance to lay complaints.”

Mohamed said smaller companies were in the firing line, mainly because of staff constraints worsened by Covid-19, as well as the cost of hiring experts and the problem with dedicating an IO role to a person.

He said compliance was a massive task.

“Masses of personal information about customers and employees have to be managed in a way that complies with Popia; identity numbers, contact details, employment history, psychometric assessment results, references, qualifications, disciplinary records, union membership, health, biometric information, account numbers, IP addresses, photos and sexual preference. Anything that can identify a person, including their phone’s or computer’s Media Access Control addresses [the computer equivalent of human ID numbers] and browser history — and even in some cases their names.”

He said companies yet to start the exercise should act now.

“The IO’s ideal starting point is an assessment of how and where information is currently sourced and stored, and on which database.

“Step two, a privacy policy, training staff at all levels on Popia requirements, and looking at possible practical implications should the IR investigate the company.

“Step three is training staff on how to prevent information breaches.”

Mohamed did not expect the regulator to offer an extension, as the act had been promulgated eight years ago and the provisions were effective from last year.

“We do, however, expect to see civil suits for non-compliance in the not-too-distant future.

“Compliance is not a one-off action; it will become part of every company’s business-as-usual processes.”

As a final word of advice, Coetzee said holders of information should review what was essential and usable and ditch the rest.