POPI (the Protection of Personal Information Act) will provide welcome protection for our personal information – our names, ID numbers, addresses, medical histories and so on, but the other side of the coin is that it will expose small businesses in particular to a whole new raft of onerous obligations and risks.
The problem is that there have been so many false alarms as to when POPI’s compliance provisions will actually commence, that many of us have lost sight of just how heavy a burden it will place on our businesses.
But now the process is strongly underway again, and this time it’s not a case of “Crying Wolf”. So here’s what you need to know for now ….
What is required of you and when
There’s a lot to contend with even for big businesses with their vast administrative resources and deep pockets. So since 2014 they’ve been planning ahead and spending fortunes on training for POPI and on preparing their systems for compliance.
But if you’re a typical small business with limited resources you face a real challenge here. You probably have very limited understanding of what POPI is, of how it impacts on you, of the substantial risks it exposes you to, and – perhaps most importantly – what you must do about it and when.
In a nutshell –
- At long last, an Information Regulator has been appointed, and Draft Regulations have been published for comment by 7 November 2017.
- So it seems logical that the one year grace period for compliance will run from early next year. So there’s no major panic just yet, but take advantage of this advance warning to understand your compliance burden and to get ready for it.
- One of your major obligations is to take appropriate and reasonable measures to secure all “personal information” collected, used or stored by you. Don’t think by the way that you don’t hold any “personal information” – pretty much every detail you have or have used for every client/customer, supplier, service provider, employee etc is included in the definition. POPI applies to you!
- You will have to officially report and explain any suspected breach of confidentiality. Not just a hack or data loss, but any potential data compromise such as the loss or theft of a laptop, cell phone or backup drive.
- You are also strictly limited as to what personal information you can collect, where you can acquire it from, what you can hold and for how long, and what you can use it for.
- Amongst a host of other issues you will have to tackle, you must ensure that the information you hold is accurate. The list goes on …
The big risks of non-compliance
- Breaches of any of these duties lay you open to severe penalties (administrative fines of up to R10m) and prosecution (up to 10 years imprisonment), quite apart from the harm and loss of trust in you that adverse publicity will undoubtedly cause.
- That’s not all – you can also be sued for millions in damages by anyone whose data has been compromised, and you are limited to a list of specified defences to such a claim. Critically, this is a case of “strict liability” in that no “intent or negligence” on your part need be proved.
- To give you an idea of the extent of the risk, an SME in the UK was recently fined under similar laws. It must pay £60k (R1m) for failing to prevent hackers from accessing its clients’ personal information.
We’ll let you have some practical guidance on complying once the Regulations (possibly also Codes of Conduct) and effective dates are finalised, but for starters your software, your business processes, and your security systems (passwords, encryption etc) will almost certainly need a major overhaul.
The best thing you can do right now is to start thinking about what personal information you hold, where you hold it, who has access to it, and how secure it is.