Popi: Plenty of costs, moneymaking opportunities in SA’s new privacy laws

Just when you think there couldn’t possibly be anymore red-tape getting in the way of making money, along comes Popi – the Protection of Personal Information Act. This looming legislation will change our lives a lot like Fica (Financial Intelligence Centre Act) has, adding to paperwork and costs associated with running a business. Personally I’ve always wondered about the true value of Fica for catching real money-launderers and terrorists. And, while I think it is a noble idea to protect our private information, have you ever taken a look at how much is already publicly available on you? Much of it, of course, we have put out there ourselves – wittingly, on Facebook, and unwittingly by engaging in other ways on the web. I had no idea, for example, that Twitter gives geographic co-ordinates of where you have tapped out your 140 characters, until yesterday when I looked over a university researcher’s shoulder at Tweets she had pulled into data processing software. Michiel Jonker of Grant Thornton says we can expect a lot of admin with Popi, but there will be business opportunities too. Read his blog and, then, please do share your views on Popi, below.- JC

By Michiel Jonker

South African businesses are not ready for the looming implementation of the Protection of Personal Information Act (Popi).

The Popi Act, which was gazetted in December last year, and which is currently awaiting an effective date, requires widespread reforms that both the private and public sector must introduce to ensure that the personal information and data they collect are protected. The new Act also provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.

POPI is the acronym for looming privacy laws that will increase the cost of doing business. IT expert Michiel Jonker of Grant Thornton explains how business will change under POPI.
Popi is the acronym for looming privacy laws that will increase the cost of doing business in South Africa. IT expert Michiel Jonker of Grant Thornton explains how business will change under Popi.

Based on feedback which they had received from the business community, it is clear that most organisations are still not ready to implement the ground-breaking legislation. There are many experts such as IT security consultants we deal with every day who say that South Africa is not ready for Popi and that it’s not going to work.

One of the reasons for this is that South Africa does not have the privacy culture of the more developed countries. 

While Popi has many benefits such as compliance with international standards that could lead to greater investment opportunities, going both sides, the costs of implementing Popi will place significant cost pressures on big business, due to the extra layer of administration that compliance requires.

These costs include the employment of additional specialised personnel, including expensive and highly-skilled privacy officers, the contracting of IT and business auditing service providers; and the need for specialist legal consultants for the review of all existing agreements which the company has with third parties.

In addition to the rising cost of doing business, companies are also faced with the potential of multi-million rand monetary fines, civil claims and reputational damage – if found guilty of Popi transgressions.

Take Zurich Insurance as an example. The local subsidiary of the company experienced a data leak in 2008 in which they lost the data of more than 40000 clients when the South African branch of the company lost an unencrypted back-up tape during a routine transfer to a data storage centre. While the implication for the South African subsidiary was minimal, the UK’s Financial Services Authority imposed a £2 million fine on the UK office of the company due to the Popi-like legislation that was already in place in Europe.

Most at risk in South Africa are big corporate organisations dealing with sensitive information because they will have to prove to the regulatory body that they took appropriate steps to offset any potential data breaches.

A mom-and-pop shop with a few customers may need to implement basic security, but a huge medical aid entity with thousands of members, dealing with very sensitive information, will need a much bigger team of specialists and advisors. Every business has to prove that they did what the ‘reasonable person’ would have done, considering financial constraints; the sensitivity of the data they collect, process and store; the industry standards and expectations and best practices, generally accepted by the international community.

It’s important to look at this in a global perspective and not in isolation. Any compliance must take into account the prevention of data breaches; the detection of breaches if the preventative measures fail and the ability to repair breaches and affect damage control.

The cost pressures notwithstanding, the benefits in the long run could be very positive. The international business community, for example in Europe, prefers that South Africa should have privacy legislation in place before doing business. They are forced by their legislation to ensure that their business partners do enforce similar privacy controls. 

This brings me to the argument that local dynamic organisations with significant future growth aspirations should see Popi as a business enabler or opportunity. It would eradicate even more barriers erected by international governments for SA executives to successfully embark on doing business internationally.

The opportunities that Popi creates, however, depend on how well South Africa’s public and private sectors can embrace a culture of privacy.

Once the culture is right all the other privacy measures will work. We need to start respecting the privacy of personal information. It starts with the tone of top management and filters to the mail room downstairs. 

Michiel Jonker is a director in the IT Advisory division at Grant Thornton, Johannesburg. He has more than ten years’ experience as a computer auditor.  He previously worked for companies in the medical scheme, road accident fund, e-commerce and mobile phone industries. He has wide-ranging experience in a variety of different audits and assessments, such as IT governance, IT risk, Security Audits, Disaster recovery planning audits, to name a few.  Michiel has a special interest in business risk management and he is the author of his own e-book, covering risk management principles.


(Visited 54 times, 1 visits today)