In the past few months, many South African businesses have been scrambling to align their operations with the new Protection of Personal Information Act (POPIA).
Even non-commercial ventures like community Facebook groups have posted questions to members to ensure they meet the requirements of the Act, designed to protect South Africans’ constitutional right to privacy.
While many welcome the fact that mining of personal data and cold calls will be a thing of the past, POPIA will impact legitimate companies reliant on information to make ends meet.
Some analysts point out that direct marketing businesses are expected to take a hit, with the effect ultimately felt by consumers.
In the past, for example, it was easy for people to opt into a marketing message by simply responding “YES” in an SMS. POPIA now requires that consent forms are filled in and returned to the business so that it complies with the Act.
For business owners, the situation presents a challenge and may appear overwhelming.
But it need not be so.
While POPIA may be the new kid on the block, data protection laws are already well established in South Africa and compliance mechanisms in place to meet regulations.
The International Organisation for Standardisation (ISO), a certification carried by the country’s leading companies, is globally recognised and as such, carries considerable weight with regulators.
Among the ISO offerings is ISO 27001, which contains the requirements and tools to assist in mitigating the risks associated with private information within organisations. In other words, the perfect vessel to navigate POPIA’s unchartered waters.
Muhammad Ali, managing director and lead auditor of leading South African ISO standards training and implementation specialist WWISE, is the first to acknowledge that advancements in technology should raise questions about people’s safety online and how their private information can be protected.
But he also recognises the value information holds for established businesses fearful of what POPIA might do to their operations.
“It does sound like a disaster waiting to happen, but it’s not the case at all if organisations introduce information management systems like ISO 27001,” he says.
“In a nutshell, ISO 27001 is a family of standards developed to provide a framework on which an information security management system can be successfully implemented. It focuses on protecting the confidentiality, integrity and availability of the information in a company by applying a risk management process.
“This gives assurance to all parties that risks are competently managed while helping any business comply with the POPI Act. Applying a security management system gives confidence to all interested parties that risks are adequately managed.”
According to Ali, there are six clear steps that an organisation should take to comply with POPIA.
As a fifth measure, any data breaches need to be reported to the regulator and the people whose private information has been implicated. Finally, any transfer of personal information needs to be undertaken legally.
Having dealt extensively with existing privacy laws, Ali has seen first-hand how the implementation of ISO 27001 can actually benefit a business or organisation.
“You’ll find it becomes easier to comply with other necessary regulations, and also provides opportunities to gain a competitive advantage,” he says.
“There are other advantages, too. Not only do customers feel safe and more confident in returning, but there is more consistency in a business’s internal processes. By building a culture of accountability and security, the company and all its shareholders are protected.”
Ali and his team assist businesses by assessing their information and making recommendations on how best to handle it.
Based on their findings, they will be able to offer advice on the circumstances under which the business may process information, the duration they may process it, how the information must be maintained and secured, and how and when it should dispose of the information.
“Furthermore, we assist in closing the gaps by way of administrative alleviation. We do this by working with your process owners to understand the requirements and conditions for your business.
“Ultimately, this enables you to take control of the protection of data, keeping the information of all stakeholders safe.
Once the process is complete, a third party regulatory body undertakes an audit of the business to safeguard the investment in documenting, implementing and maintaining the information security management system.