The right to privacy has been enshrined in South Africa’s Constitution since 1996. But, the rise of internet usage, social media and other technological advancements such as Artificial Intelligence has complicated the realm of privacy. More than 2.5 quintillion bytes of data are created every day and a substantial amount of this data consists of information that would allow an individual to be personally identified.
To keep up with the pace of change, privacy laws have needed to evolve to include data protection facets that ensure that individuals have more control over the use of their personal data, ensure that it’s not used irresponsibly, and maintain social boundaries.
South Africa’s answer to this data protection challenge has been the enactment of the Protection of Personal Information Act (POPIA). In terms of POPIA, organisations are required to meet a number of obligations in protecting the personal data they process. The ‘processing’ of personal data would include, amongst others, collecting, storing, using and disseminating a person’s (which could be either an individual or legal entity) personal information. This includes information such as identity numbers, contact details, addresses, health information, and employment history.
The deadline for POPIA compliance is looming on the horizon with the one-year grace period to ensure compliance coming to an end on 30 June 2021, leaving South African businesses with little time to ensure they are fully and actively compliant with the new law. As such, registering their respective Information Officers with the Information Regulator of South Africa (the Regulatory Body established in terms of POPIA and responsible for enforcing compliance with POPIA) is one of the key deliverables that businesses need to take as part of the necessary steps to ensure that they meet with the relevant POPIA compliance requirements ahead of the deadline. Information Officers play a pivotal role in ensuring compliance by their respective businesses with the requirements of POPIA.
Information Officers have a crucial role to play
The cost of non-compliance with POPIA could be severe for businesses and harsh penalties are in store for anyone found guilty of an offence, the maximum penalty being a R10 million fine or imprisonment for a period not exceeding 10 years, or even both.
An Information Officer will be pivotal in managing and ensuring compliance with the provisions of POPIA, helping the business avoid incurring any penalties. Companies will rely on them for the development, implementation, and monitoring of their compliance framework as well as the policy and processes that govern access to information. Another important element of the role is to ensure that all levels of the business understand the provisions of the Act and the processes that will be put in place to adhere to them. In essence, they will be the ones driving a culture of compliance within the business.
But, more than that, an Information Officer will be responsible for liaising with the Information Regulator regarding information requests and any investigations conducted in accordance with POPIA. The Information Officer may also, in addition to the business, be held accountable by the Information Regulator for non-compliance.
Achieving compliance doesn’t need to be complex
Ensuring that a company is adequately compliant with POPIA might seem like a mammoth task but there are a few practical steps that the Information Officer and the business can take to get there.
First, a personal information impact assessment should be conducted. This will assist with identifying the personal information that the business processes in each of its business units/functions which will then guide the measures that need to be implemented to ensure POPIA compliance. It is important to gain a clear picture of what, and how, personal information is collected, used, and processed within the business by tracking the flow of information as well as the individuals who have access to this information at any point in the chain. Understanding and keeping track of who has rights to what information will also be key to ensuring compliance. Where any gaps have been identified, Information Officers must set clear and achievable targets and implement enforceable policies and processes.
Companies must also review all of the electronic systems and technology related to business operations where personal information is processed and ensure they are secure to external manipulation or access that is not authorised by the company, the provisions of the Act, or the owners of that information.
And, finally, companies must build a work culture that places compliance at its foundation to ensure that it becomes part of the everyday business by educating all stakeholders on their role in POPIA compliance.
It is important to note that while the hard deadline for compliance is set, adhering to the prescripts set out by the POPI Act will be an ongoing and continuous process for businesses in South Africa. Companies will have to consistently assess their progress and update their policies and framework to adapt to the rapidly evolving privacy landscape. As such, the role of the Information Officer is key to ensuring a business’s compliance with POPIA.
By Zaakir Mohamed, Director, Head of Corporate Investigations & Forensics at CMS South Africa