A typical response to questions around PoPIA compliance is “we don’t need to worry about PoPIA (the South African Protection of Personal Information Act) until it’s fully implemented”.
I’ve heard similar comments at several conferences. It seems that South African companies are waiting until the last minute and assuming that they will have enough time to comply.
A great many organisations seem to think that compliance with personal information legislation (whether PoPI, GDPR or any other) will be a quick project. They’re wrong.
As experiences with GDPR compliance show, putting the governance in place to properly understand and deal with the complexities of privacy legislation is a huge, enterprise wide program that requires a detailed understanding of both the law and the companies internal data architecture/systems and data management capabilities.
Yet, many of the same companies that have been postponing PoPIA have been struggling to meet GDPR deadlines
The irony is that PoPIA compliance would have covered cover vast swathes of GDPR. By delaying PoPIA these companies put themselves under unnecessary pressure and, in the end, may not be deemed compliant by the EU authorities
PoPIA about more than compliance
In recent years, numerous companies: including Ster-Kinekor, Jigsaw Holdings, Viewfines.co.za and most recently, Liberty Life; have had sensitive client data exposed to hackers.
Arguably Liberty Life – who were the first big South African company to suffer a breach since the GDPR came into effect in May 2018 – have dealt with the breach in the most transparent way, as discussed in Liberty breach. The immediate financial impact was a 5% drop in their share price even without the application of any penalties that may arise.
Most companies – and here I venture to include Liberty – underestimate the sheer scale and volume of data covered by the law. Or, they have a very good idea of the scale of the problem and don’t know ow to begin.
It’s not enough to secure the core client systems and databases, although it is a good start.
it’s not enough to include supplier and employee information in that list, either.
Neither GDPR nor PoPI is limited to what you may hold in those databases – both extend to *all* personal information an organisation may hold about a client. This includes their email addresses. It includes the information contained in the signature blocks of emails originating from those email addresses. It includes the logs identifying the IP addresses from which those emails originated. And, of course, it includes any personal information shared in those emails.
Any organisation that doesn’t have an extensive information governance framework in place isn’t going to know where all the data subject to privacy legislation is housed. By extension, a company that doesn’t actively monitor compliance with internal policies and processes isn’t going to know how many illicit copies of that data reside on user machines, external drives, or even internal shared network drives. They may be backed up and “secured”, but are they compliant? Probably not.
The reality is that many organisations have multiple copies of personal information scattered across their systems and applications. The larger or older the company, the greater the likelihood that this information is held in systems and applications that don’t communicate with each other, or controlled and managed by a business silo that has little to no visibility on the information held by other silos in the same company. How many times have you provided updated information to a company only to have them refer to the outdated information when communicating with you? The chances are that the updated information you supplied is in there somewhere, just not accessible by (or even visible to) whichever business unit has contacted you.
Work top down to achieve compliance
The first step in PoPIA / GDPR compliance is identifying exactly which systems hold sensitive information and for what purpose.
This is a massive undertaking in and of itself.
From here we can begin to link to the key business processes dependent on sensitive data, identify the stakeholders that must be accountable for compliance, and then begin to delve into the details..
Even doing the bare minimum to achieve compliance is a multi-year, multi-discipline project requiring the active commitment of stakeholders from both business and IT, not to mention executive support.
Data Quality Matters 
Leave a comment