The Protection of Personal Information (PoPI) Act has been a topic of interest for some time and businesses and the general public alike pondered when it would be in effect, how long it would take to be relevant and who would oversee the process as Information Regulator.
The appointment of Pansy Tlakula as South Africa’s Information Regulator in December 2016, however, means that the time for discussion is over and the time for action has come.
For the general public, it is a time of excitement and promise, as people are handed back control and ownership of their own information and how it is used. However, for businesses who collect, use, disseminate or otherwise hold any information about their customers, employees and suppliers – and, let’s face it, this is the case for most businesses today – it is a time of complete re-evaluation of their data control and privacy policies as they scramble to ensure they are compliant and protected from risk.
The PoPI compliancy challenge
The main goal behind PoPI is to protect personal information from being re-sold and potentially cause inconvenience, damage, loss or fraud related to the resale and use of that information by various commercial institutions. With its long list of prescriptions and stipulations, PoPI impacts any personal information that is being gathered by companies. It clearly outlines the manner in which information should be stored, what care should be taken in dealing with that information, and when that information has to be purged, and allows no room for deviation from these rules.
In the IT industry, particularly the contact centre environment, a lot of this type of personal information is gathered daily. The challenge with PoPI will be that big corporates with contact centres – like insurance companies and financial institutions – will need to adapt their current systems in order to meet the legislative requirements of the Act and to prove compliance when auditors come knocking.
A clear understanding of which positions/functions within their business require access to specific information will be needed with regards to core business information repositories and storage. Companies are going to have to do a lot of coding and planning in order to work toward compliance to ensure only the appropriate users have access to certain information. Although a lot of systems have that functionality built in, programming each user and assigning their necessary rights will be tricky.
Another hurdle is raised by the issue of locality, and in this case, we see that there are different forms of PoPI being implemented all over the globe. While all countries are essentially protecting personal information, they’re doing it in different ways and their timing, deadlines and urgency might not necessarily be the same as ours.
Where companies are reselling, for example, North American OEM technology, it still remains to be seen whether those systems could be or will be adapted in time for us to meet with the PoPI deadlines. Given these circumstances, we might have unique situations in our systems when compared to the legislative requirements of other localities that potentially could limit the type of systems and features we need to comply with PoPI, which could be an impediment or a risk for the business.
Further impacting this is the uptake of Software as a Service (SaaS) by South African companies that is hosted in foreign countries, creating the same challenge where they may not be aligned with South African deadlines and specific compliance requirements that perhaps differ from their versions of PoPI.
Addressing PoPI in the age of information
Today’s world is one of the Internet of Things (IoT), Bring Your Own Device (BYOD) and similar disruptive technologies, which create a connected web of constantly moving data. Add to this, the elevated levels and opportunities for cybercrime – which is advancing alongside the technologies – and you have additional complexity with PoPI compliance. It’s not only the management of existing information that businesses will need to adapt for compliance, but also the information that will be generated by these new, connected environments.
In response to this challenge, organisations have started introducing device management and investigating the effectiveness of measures like DPI – deep packet inspection type protocols – which companies are now running. These protocols mean that organisations may grant permissions for a device to be used on their network provided they receive control of any information on that device while it is one the network.
Enterprise Mobility Management (EMM) apps enable this control and allow for strict adherence to regulation while a device is on the corporate network. When they leave the network, however, that information stays behind – it’s almost like logging into a hot desk, but for devices. Companies need to start employing these sorts of measures otherwise information is only as secure as their first connection point.
Taking a step back, the impact of IoT and BYOD also effectively means that organisations are able to gather more information that is more comprehensive and offers richer detail on an individual.
The Road to Compliancy
Although a legislator has been appointed, there is still some time, albeit not very long. PoPI is likely to be legislated towards the third or fourth quarter of 2017, after which organisations will be given a grace period of one year to become compliant. While this may seem like a long way away, businesses need to start planning and implementing strategies now so as to meet the deadline and avoid last minute panic.
The first thing an organisation should do from a risk perspective, is to conduct an audit of all its systems to understand what data is held, where it is held and identify where the gaps are. Once this is done, the organisation needs to determine what measures will be needed, whether interim or long-term, and then to put these in place accordingly.
The second step is to make sure that a full assessment of all internal systems users has been conducted to ascertain what profiles need to be added, and to identify what access permissions need to be modified, granted or taken away. It’s important to make sure user management measures are in place and implemented properly throughout the organisation. If this is not managed properly, it can become a bit chaotic over time.
The third step is to ensure there are proper policies and procedures in place for the dissemination of any information into and out of the company.
When considering the prospects presented by the processes of PoPI compliance, companies that play in the technology space will have the opportunity to target protective technology, and should make the most of the chance to extend their consulting expertise and services to companies to help them adapt their systems to comply with PoPI in the long-term.