SA firms dragging their heels on Popi
Category : Protection of Personal Information
Johannesburg – The implementation phase of the Protection of Personal Information Act is around the corner, but the majority of South African enterprises have not yet made an effort to comply with the legislation.
The act, also known as Popi, seeks to place restrictions on how companies handle personal data and guarantees the public the right to opt in to be contacted for specific marketing or promotional purposes.
However, research by a security firm has found that the majority of organisations are taking a wait-and-see approach.
According to Trustwave, at least 51% of South African companies have not made a significant effort to comply with the legislation.
While part of the reason may lie in the fact that a regulator has not been appointed yet, it is expected that a regulator will be appointed before the end of 2014, after which firms will have no more than 12 months to reach full compliance or face penalties.
For comparison, in the UK which has similar legislation, it has taken more than a decade for some companies to comply with the law.
But Popi is unlike other legislation. It is focused on getting consumers to hold organisations liable for how personal data is gathered, stored and used.
“It’s a bottom up approach and that’s why you have a regulator,” data protection specialist Francis Cronje told Fin24. “The regulator’s main role is public awareness.”
Andrew Kirkland of Trustwave makes his point on Popi compliance. (Duncan Alfreds, Fin24)
He said that South Africans were not as vigilant regarding their personal data to prevent criminals from accessing it.
As an example, Cronje cited people throwing away medicine labels which often contain personal information and even bills or bank statements with financial information.
“There are a lot of syndicates that pay those people to harvest personal information and that’s how you get a lot of credit card fraud and ID theft,” he said.
Some unscrupulous organisations also make it a business model to harvest personal data and sell it on to companies not even based in SA.
“There’s a lot of data theft going around. Sometimes you might get this e-mail from a complete stranger in America offering you a database in South Africa, leaving you wondering: ‘How did they get it?'” Cronje said.
Some operators have been known to advertise for general jobs on classified websites as a way to collect vast amounts of personal data as people applied for employment.
Cronje also listed some disgruntled workers that might leave a company with a database of customer personal and financial information.
It is imperative that organisations ensure that there are systems in place that prevents personal data leaking out through the direct actions, incompetence or malevolence of employees.
“There’s no excuse for that,” Cronje stated emphatically.
According to the Trustwave report, 38% of companies said that they had organisational measures in place to prevent the loss of unauthorised data.
However, Trustwave said that even if South African companies had experienced a data breach, it is unlikely that they would make it public.
“In South Africa, no. Nobody’s going out there to publically announce that they had a data breach. That would be quite catastrophic for them. However, I do agree with Francis that there is a responsibility with that company to go through that process to notify you – not 32 days later,” Andrew Kirkland, Trustwave regional director for Africa told Fin24.
Sony waited 32 days to publically announce that it had experienced a data breach on its PlayStation Network and the company has agreed to pay $15m is a settlement.
Many South African companies also have a lax attitude regarding personal data when contracting third party marketers.
“If you engage with a direct marketer, make sure at least, that you’ve conducted your due diligence,” said Cronje.
He added that for both private and public enterprises, the theft of personal data in SA was a huge problem that Popi would address if companies made compliance a priority.
“It costs this country in excess of R3bn per annum in ID theft just from a governmental perspective. Imagine what it costs business.”
Watch this video to see how Popi will affect you.