POPI: Protecting Customers And Enabling Businesses

Personal information – your ID number, phone number, home address, name and surname, bank account, email address, date of birth, vehicle registration – is extremely attractive to cybercriminals and requires legal protection. That’s why the Protection of Personal Information Act, better known as POPI or POPIA, has been introduced.

“If you look at the act’s preamble, the purpose is to give effect to everyone’s constitutional right to privacy. It’s also to enhance the information economy and the free flow of information,” says Ilze Hattingh, director at Novation Consulting.

As she explains, POPIA has two significant roles: to protect personal information and give companies the freedom to use that information safely and responsibly – a calling card to potential customers.

“When you prove that you are POPIA-compliant, you attract more interest and more companies will do business with you,” explains Bridgette Vermaak, Xperien’s head of IT Asset Disposal. “We found in our industry that as soon as we proved we are POPIA-compliant, we grew our business significantly.”

Does it apply to you?

Does POPIA apply to your organisation? The short answer is yes. The act’s view of personal information covers any information that could identify an individual.

“Anything with a person’s name, anything with a cell phone number, anything with an email address, anything that can be used to identify you,” says Hattingh. “In some instances, it can be your IP address. If you can somehow identify someone by using that piece of information, even if you have to link it to other available information, the act will apply to it.”

This distinction includes both digital and physical forms of information: a physical sign-in book is as much in the scope of POPIA as a spreadsheet with customer details. Employee, shareholder and board details also count as personal information – it is hard to imagine any organisation not impacted by POPIA. “It applies to everyone,” Hattingh notes.

Reasonable yet firm

POPIA has been in the pipeline since 2013, but only became law last year, and the honeymoon period for compliance ends in July 2021. Yet, outside of some key areas, the act is not hugely prescriptive. The word “reasonable” appears over five dozen times in its text. POPIA wants to encourage companies to relook at how they use people’s personal information, but allow each organisation to plot its course on how to get there.

“The act is broad in terms of a view of responsibility in handling that data,” explains Vermaak. “It’s guiding you on how you should process personal data, store that data and destroy that data. ‘Let’s make sure that we handle this data in a responsible manner’ is the message.”

Some areas of POPIA are prescribed. For instance, a company must mandate a data officer who is also a company employee. The act prescribes the “head” of the company – such as the CEO or managing director – the responsibility for personal information. It resides with them and cannot be delegated to a third party. POPIA empowers customers, for example, to request what of their personal information is stored by a company. The act expects companies to destroy personal information that they have no good reason to retain. It requires a heightened level of risk management around cyber incidents and reporting security breaches.

The information regulator, established specifically for the act, will enforce POPIA with sweeping powers, says Hattingh: “The information regulator can investigate any organisation. According to the act, the regulator can initiate an assessment on their own initiative, or at the request of the responsible party or any other person.”

The office is currently still focusing on staffing, building its systems and offering guidance to the market. The courts will likely define POPIA’s precedents. Yet there is good news: POPIA compliance is about demonstrating that you are doing your best to achieve those benchmarks.

“The important thing is to document when you discuss POPIA or make decisions towards its implementation. So on a security front, we may need to implement encryption, but the budget for it is only available next year. Document that, so if the regulator ever investigates, you can show evidence that you’re working on it,” advises Hattingh.

Co-opt a consultant

Some parts of the act aren’t open for interpretation, so to strike a balance it is worth getting in a POPIA consultant, adds Vermaak. “We continue to engage with our consultant because we’re always working with data in different ways. It’s not inexpensive, but there’s a lot of benefit to it. You can’t look at their costs as an expense. The loss of income due to a breach, because you’ve suffered reputational loss and you’ve got a massive POPIA fine to pay, can be huge – paying a consultant a much better use of  your money.”

A consultant can’t offer any legal protection, but they enable a company to use personal information for their benefit and avoid costly fines. POPIA compliance forges digital-ready companies. If you look at it in that light, POPIA is less about compliance than creating business advantage.