How will Protection of Personal Information Act (POPI) affect your business?
Do you often get companies’ cold calling or emailing you trying to sell you something you’re not interested in? It can get very frustrating, especially if you have not given them permission to contact you. Maybe you’ve fallen victim to identity theft or online fraud? Are you worried that your client data may be at risk?
According to insurance underwriter Camargue, more than a third of South Africa’s companies have experienced data breaches and a staggering 974 million company records were lost or stolen in 2014.
What is Protection of Personal Information Act (POPI)?
The Protection of Personal Information Act No. 4 of 2013 (POPIA or POPI) promotes the protection of personal information collected and used by companies and individuals.
This Act aims to regulate the use of personal data including how it is collected, stored and kept safe. In our hyper-connected world, the Act endeavours to protect consumers and companies from data breaches and related threats by giving individuals control over their personal data and how it is used. POPI will provide regulation and recourse through provisions that will guide the legitimate use and management of personal data.
As it stands currently, if you do not want your personal information to be used you need to opt-out of messages from institutions such as insurers, banks, etc. POPI requires an opt-in approach when using personal information and will therefore require consent for any and all use of personal data.
This Act is necessary because personal data is currently being re-sold indiscriminately which often leads to loss, fraud or damage
Complying with Protection of Personal Information Act (POPI)
POPI will align South Africa with global data protection laws by providing definitive guidelines in which personal data must be stored and managed. It will significantly impact industries such as the financial services industry. For some businesses it will require a complete overhaul of their privacy policies and how they control their customer data.
The Act outlines eight provisions that companies must adhere to. These cover the lawful management of personal information with accountability and rights awarded to those who supply the information, as well as to the keepers of the data.
Once POPI has been implemented, businesses will have one year to comply. POPI is expected to be fully operational by the end of 2017.
To gauge whether they are compliant, all businesses that collect and manage data will need to analyse exactly what kind of data they have, how they process it, what they use it for and how they store the data.
Comprehensive POPI compliance is complex as new information is constantly being generated and this, along with existing information, must be adapted to remain compliant. The most challenging issue is implementing processes and systems within the given time frame of one year. In many cases, it may take much longer to reach full compliance.
Not complying with the Act will result in the offending parties facing harsh consequences. The Act includes an allowance for Administrative, Criminal and Civil liabilities with harsh penalties of up to R10 million and imprisonment up to ten years.
How to protect your business
Cybercrime on the back of data breaches is a reminder of the enormous damage hackers and other cyber criminals can inflict. Identity theft resulting from a data breach is not only an inconvenience to the affected people, but also an unnecessary invasion of their right to privacy.
Businesses must make sure they fully understand the new privacy regulations and that they implement best practice principles regarding the management of personal data. All business systems should be audited to identify the gaps and areas of potential risk. Not being fully aware will result not only in the loss of customer data but also in the loss of client trust and ultimately their support for your business. Implementing meticulous corporate governance regulations will go a long way towards building a strong line of defense against potential data breaches and cybercrime.
Small and medium-sized businesses are also at risk. These business owners often underestimate their risk exposure due to the size of their business. Such an event can have a devastating effect on their cash flow, profits and quite possibly their reputation in the market.
Cyber Risks insurance with sufficient indemnity makes up only one part of a holistic approach recommended to mitigate cyber risk. Companies of all sizes need to ensure that they have comprehensive risk mitigation strategies in place, including adequate insurance cover that addresses all possible threats relating to online fraud, identity theft and resultant cybercrime.
Should you wish to enquire about this cover and the general exposure of cyber liability, please contact your respective Accounts Executive.