Both South Africa and America have a tradition of producing great boxers.

South African legends like Gerrie Coetzee, Brian MItchell and “Baby Jake” Matlala stand out from a long list, while Joe Louis , Mike Tyson,  Sugar Ray Robinson and Muhammad Ali are some of the better known Americans.

The conflict between local and international regulations is like a boxing match between these greats

POPI versus FATCA: The line up.

In the South African corner, PoPIA (the Protection of Personal Information Act) was passed to restrict access to personal data.

In the US corner, FATCA (the Foreign Accounts Tax Compliance Act) was passed to force access to personal data.

Who will win this thrilling contest?

Round 1: International Impact

PoPIA is South African legislation voted into law in November 2013. The POPI Act seeks to ensure that South African businesses comply with all major international privacy bills – including those of major trading partners such as Europe, the United States and the United Kingdom. As such, it is one of the most comprehensive bills for the protection of data to be found on any statute.

FATCA is US legislation, passed in 2010, that impacts foreign financial institutions (FFIs). It requires foreign banks, insurance companies and similar financial institutions to report the taxable earning of US citizens to the IRS.

Numerous countries, including France, Germany, the United Kingdom, Switzerland and South Africa have already agreed to cooperate with FATCA. A number of countries are rumoured to be implementing their own variation of FATCA, and it is likely that this will increase the burden of FATCA over the next decade.

Judges decision: FATCA is  a narrow winner on points

Round 2: Penalties

Businesses that fail to comply with PoPIA can face fines of up to to R10 million

As such, PoPIA is the first South African legislation to have real teeth to enforce compliance.

For FFIs, the consequences of non-compliance with FATCA are to face a 30% withholding tax on any payments received from US entities. While this could run into hundreds of millions for some organisations, the impact on most South African companies is light.

Judges decision: POPI wins a tight round

Round 3: Difficulty of compliance

Chapter 3 of PoPIA details eight pillars covering the complete use of personal information, from acquisition to destruction.

The onus on organisations is to identify where personal information is held within the organisation and to ensure appropriate levels of access control.

Although much of the focus is on security, companies are also required to ensure data quality – “personal information [must be] complete, accurate, not misleading and updated when necessary.” The POPI Act also requires that the organisation be capable of providing, upon request, a description of all personal information held about a data subject.

PoPIA may require a major overall for many South African firms.

It is not sufficient merely to identify where personal information is held, and who has access to it, in itself a not insignificant challenge. Companies must also take steps to ensure the quality of personal information held in multiple systems.

FATCA requires participating financial institutions to prove that they have identified and are correctly reporting on the earning of US taxpayers earning more than a US$50 000 threshold.

Poor customer data quality can make it difficult to identify US clients, as important identifying information can be missing or inaccurate. In addition, FFIs must create a linked profile of these clients in order to identify whether earnings meet the required threshold.

Judges decision:

Both Acts require significant enhancements to existing data management practices. Tweet this.

Due to its broader reach, PoPIA wins this round.

Round 4: Conflicting requirements

Where FATCA requires FFIs to report on the earnings of US taxpayers, the PoPI Act requires that personal information is protected unless for a specific purpose. In particular, Chapter 9 of PoPIA governs the movement of personal data across the South African border.

The difficulty for an FFI will be in ensuring that the report disclosed to the IRS is compliant with both FATCA and PoPIA.

In terms of PopIA it is not acceptable to disclose the earnings, other personal information, or parties that have been wrongly identified as US taxpayers, nor is it acceptable to disclose the earnings of US citizens that do not reach the $50000 threshold.

Poor data quality, and the lack of a single view of the customer, are significant hurdles that must be overcome in order to comply with both pieces of legislation.

Judges decision: PoPIA, once again, wins this round.

At the end of the bout, information governance is the winner. Tweet this

In each case, poor quality information and, in particular, the lack of a centralised customer view can be significant challenges that must be overcome.

Common sense suggests that data governance principles be applied to ensure that your business is compliant with each relevant Act while minimising the impact of compliance.

Data governance means defining your data policies, identifying responsible persons, and measuring compliance with policy. A Data Governance centre ensures the reuse of these assets across the organisation and ensures that conflicting or complementary approaches can be identified and managed appropriately.

The centralised governance of data allows you to identify information issues (noncompliance to policy), measure the business impact, and prioritise remediation efforts. Ultimately, this saves money while reducing risk.

Contact us for more information about how we can help.

Image sourced from the Wikimedia Commons. Information from its description page there is shown below.