POPI Is Here: Are You Ready?
Enacted on 26 November 2013, the Protection of Personal Information Act No. 4 of 2013 (POPIA or POPI) aims to bring South Africa in line with international data protection laws by promoting the protection of personal information processed by public and private bodies. Furthermore, the Act provides for the establishment of an Information Regulator to exercise certain powers and to perform certain duties in terms of the Act. Currently, should one not wish for their information to be used, one is required to “opt-out” (think of all the text messages received from the likes of banks, travel agencies and direct marketers); whereas POPI introduces an “opt-in” approach in terms of the use of personal information.
The office of the Information Regulator was established in December 2016, chaired by Advocate Pansy Tlakula. For the most part, the body is a self-funding mechanism, meaning that it is possible that the Regulator will issue penalties for non-compliance with the Act to ensure a consistent income stream which exceeds business costs. The Regulator intends on being fully operational by the end of this year, following which the commencement date for POPIA will be announced. Once implemented, natural and juristic persons will have a one year grace period to comply, unless this period is extended as allowed by the Act.
In its simplest form, POPI introduces eight basic conditions for the lawful processing of personal information, and creates rights and responsibilities respectively on the part of what is defined as responsible parties - being the custodians of the information, and Data Subjects; the personal information relating to humans and business. Personal information includes predictable ones such as that of financial and health, however, the definition in terms of the Act is so broad that it extends to include characteristics or traits which one can use to identify or distinguish a person within a crowd (such as someone’s Twitter handle).
Non-compliance with the basic conditions of the Act may bear severe consequence. The Act allows for three elements of liability: Administrative, in the form of a penalty payable to the Information Regulator, to the maximum of R10 million; Criminal Liability not exceeding ten years’ imprisonment and/or the payment of a fine; and Civil Liability, the form of damages for interference with personal information (irrespective of whether there is intent or negligence).
Large retailers are a high-risk group when it comes to being targeted by cyber syndicates. Target in the United States, as an example, experienced a data breach whereby credit card information of its customers was exposed in the public domain. It is estimated that the loss (and subsequent insurance claim) is in the region of US$246m. A further industry to be targeted of late is that of Healthcare Providers. Hackers are after medical scripts which can be falsified to attain drugs and other medicines from pharmacies and dispensaries, which can then be sold illegally on the dark web.
It is evident that a lack of awareness, and compliance to, privacy regulation could have detrimental consequences to a business. It is therefore imperative that businesses adopt a best-practice approach to POPIA, particularly as it pertains to the collection, storage, interpretation, use, transference and destruction of personal information. Customers nowadays, for the most part, opt to partner with responsible organisations and therefore businesses which promote a culture of responsible practice, as it relates to the protection of personal information, may use this as a means of competitive advantage; particularly in the global context to which many operate.
Appropriate Corporate Governance and risk management are key in protecting businesses from falling victim to acts of cybercrime. One of the most effective ways in mitigating such risks is to make use of risk transfer mechanisms such as insurance. An organisation is able to migrate potential losses to a comprehensive Cyber Risks insurance policy with an adequate limit of indemnity. This will ensure that the business continues as a going concern in the event of a cyber-security breach, or a heavy fine levied by the Regulator.