For South African based companies, the new Protection of Personal Information Act (POPI) is fast becoming a reality.
Consultants are driving this heavily and it seems that non-compliance could result in severe penalties for every transgression.
Your external board may even have requested that this new requirement is to become a priority on your list of governance items. IT along with your internal Audit & Risk department have been tasked to commence with this undertaking.
But how important is this really and how to approach it?
One of our IT Leader Mastermind groups recently tackled this question. Here is a summarised version of the outcomes.
The Mastermind Answer
Although there is no clarity on when POPI will become law, it is good business practice to attend to this proactively.
Eventually senior business leaders can be held personally liable for information breaches.
Generally, the POPI Act is a good thing as it forces businesses to start treating the handling of customer data as important.
A good first step is to classify all information assets (employee, client & supplier data) and broadly decide who should have access, for what purposes and for how long.
Only when this is in place, consider the technical aspects of how to implement these controls.
When it comes to POPI, nobody can ever be 100% compliant. The question is rather: What is the amount of effort you have applied to safeguard any personal information you collect as part of doing business? As long as you have good policies as well as good controls in place, you should be covered.
The last question is: Should this be a job for the IT department? General consensus is that IT plays a massive role in the process as they are ultimately responsible for the implementation, but they should work in close cooperation with the legal, audit and/or risk teams.
Some More Insights
- POPI has to be supported from the top of the organisation, otherwise it just becomes another “grudge project” and is doomed to fail.
- If you decide to tackle this topic, it is imperative that you set aside budget for it (both time and money). This is not just a quick filler between two bigger projects.
- An important question to ask yourself at all times during the project: Why do we need the data in the first place and what are we doing with it? Should we collect it?
- Implementation of POPI for the most part doesn’t have anything to do with technology.
- First line of defense to ensure compliance: educate your staff on how to handle different types of information.
- Beware that privacy of information is NOT the same as security of information. Don't treat POPI as just a security concern.
- But do consider ISO27001 and ISO 27002 during your POPI implementation as they are very complementary.
- To quote from https://www.iso.org/isoiec-27001-information-security.html: “The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.”
- If you want to understand the basics of POPI, a good website to start is https://www.popi-compliance.co.za.
- See also the following video: CORNER OFFICE: RISKAFRICA Interview with Mark Geschke, where Mark links talks about the Value Propositions of IT and also has a look at how POPI fits into this.