The Protection of Personal Information act is imminent. How can South African business prepare?
The Protection of Personal Information act is, now more than ever, an immovable force that South African businesses will soon be expected to comprehensively address or risk facing harsh penalties for failure to act.
After several reconsiderations and progressions through state administrating the legislation, which aims to further formalise how corporate entities access and secure consumer information, the Act will be signed into power by President Jacob Zuma.
This will give affected organisations only twelve months to respond.
The penalties for non-compliance are harsh. Entities that are unable to meet the Protection of Personal Information (PoPI) act’s guidelines will face fines of up to R10 million or 10 years in jail, and may be required to pay out significant sums in damages to civil class action and will certainly suffer reputational impairment as a result.
PoPI is intended to protect the integrity and sensitivity of private information. In response entities operating in sectors that request personal particulars – such as financial services or telecommunications, will be required to carefully manage the data capture and storage process.
This could have a significant effect on a broad range of corporate functions says Heino Gevers, Security Specialist at Mimecast South Africa.
“The act will apply to any information regarding clients or suppliers, including contact details and correspondence. Human resources and payroll data, curricula vitae, applications for employment, CCTV records, performance reviews and internal e-mail records are also subject to its requirements, which could have a significant impact on the way local entities conduct business”.
Indeed, PoPI’s stringent cross border data transferal expectations – in which information may not be relocated to countries with inadequate information protection frameworks, may also prove a challenge for corporates operating throughout Africa.
In preparation many organisations are scrambling to identify tools that will aid in securing sensitive information according to PoPI’s legislative requirements.
In many ways, believes Pedro Lopes Managing Director at Bluekey Network Solutions, Mimecast’s information archiving, security and continuity offerings tick all the boxes.
“Mimecast offers a cloud based solution that enables employees to access corporate communication in a highly secure manner. This service incorporates stringent local data storage policies and includes tools to separate personal and business information within the organisation and enables secure governance based data transfers”.
“Significantly, Mimecast also offers an email branding solution that allows viewers to opt out if they deem the content inappropriate. This instrument is complimented by a monitoring system that enables the user to choose what they receive. These elements directly respond to PoPI’s stringent spam requirements”
Although these resources provide a robust resolution to PoPI compliance, what tools do they offer when an organisation is expected to respond to regulators?
According to Gevers, Mimecast’s offerings in this arena are comprehensive.
“Mimecast is equipped with a comprehensive eDiscovery and forensic solution that allows an entity to search the breadth of its internal data. This will undoubtedly prove particularly useful for organisations that are faced with allegations of data leakage or mismanagement of information”.
The Protection of Personal Information act is a considerable hurdle for local businesses to overcome. Although it will ultimately safeguard sensitive information, the road to corporate compliance may seem long and treacherous for many entities.
“Mimecast’s Unified Email Management, Large File Sending and Mimecast Services For Outlook (MSO 4) are arguably the most comprehensive and easily applied PoPI friendly tools currently available. With legislation approval on the horizon, organisations are encouraged to begin making preparation” concludes Gevers.