While the Protection of Personal Information Act (POPIA) (constitutional right to privacy) and Promotion of Access to Information Act (PAIA) (constitutional right to access information) have been around for a while and we are all somewhat aware of what they pertain to, by 30 June 2021 companies will have to comply to POPIA.
We are highlighting this in this edition of the IR Alert as we feel that if you are compliant it’s a positive talking point and should be mentioned on your website and in your annual report. Despite it being another piece of legislation to comply with, it certainly speaks to governance and supports the environmental, social and governance (ESG) principles shareholders and impact investors will look at.
In a world dominated by technology, we can’t think of one of our clients who does not have information that needs to be protected. From HR data to customer data to financial data, possible breaches have to be assessed and companies have to ensure that these sources are protected and given the necessary respect they deserve.
What should you be considering?
Undertake an evaluation of all information you have and ensure that you understand why you have this information, as well as why you keep it.
What is the impact of the Act on your business?
- Get the necessary consent and ensure you have a policy in place.
- Consider keeping an information asset register where all types of information, reasons for keeping the information, the person responsible for the information, and the protection of the information is noted.
- Devise and check security.
- Have you distinguished between a Responsible Party, the Operator and an Information Officer (the latter is not necessarily the head of IT)? This point helps in the step of knowing who is responsible for what information.
- Train staff on POPIA (as this is very often the easiest point of penetration).
According to Karus Prinsloo of Inlexso, the POPIA Act “has teeth” and non-compliance can lead to:
- Reputational risk (e.g. Experian, Old Mutual and Garmin – which all recently suffered security breaches of their data).
- 10 years’ imprisonment.
- Administrative fines of up to R10 million or a percentage of turnover – negotiated settlements are possible if a breach has occurred.