[Column] Michelle Dickens: Are South African companies ready for Protection of Personal Information Act?
The majority of organisations are not yet compliant with the Protection of Personal Information Act (POPIA) which becomes effective on 1 July this year.
According to a survey conducted by TPN Credit Bureau on how ready companies are for POPI, only 27.4% are process ready and 40.3% are ready from a governance perspective. Technological readiness scored the highest at 57%, which is still a far cry from compliant. Of the 200 companies we surveyed, only 8% scored above 80% for their POPIA readiness.
Although organisations are expected to be fully compliant with the POPIA by 1 July with all the necessary systems and processes in place, industry bodies were required to have submitted a code of conduct to the Information Regulator by 1 March 2021 according to Regulation 5 of the POPI Act.
It is highly recommended that those organisations that have not yet started the process of becoming compliant with the POPIA do so as soon as possible as compliance is a time-consuming process.
The Credit Bureau Association, for example, has submitted its code of conduct to the Information Regulator, who has subsequently opened the code up for public comment. In South Africa credit bureaux are subject to the restrictions of the National Credit Act which governs the processing of consumer credit information. However, credit bureaux can’t process credit profile information unless they have pre-approval from the Information Regulator.
Another deadline which is looming relates to Regulation 4 of the POPIA which requires that organisations have appointed an information officer by 1 May. An information officer is responsible for, amongst other things, encouraging compliance with the POPIA; developing and implementing a compliance framework; and ensuring that a personal information impact assessment is done to ensure that adequate measures and standards exist.
The aim of the POPIA is to protect personal information and prevent information from being exposed to unauthorised individuals or entities. As such it requires that a set of streamlined processes and systems are established that easily identify where personal information is stored, how that information is processed physically and electronically, who has access to it as well as for what purpose it is required. Not surprisingly, becoming POPI compliant takes time and needs to be an ongoing process.
A failure to be compliant has consequences as organisations could face fines or other penalties depending on the nature of the offense with a maximum 10-year prison sentence or a R10 million fine.