By Mike Rees, Commvault Territory Account Manager for South Africa
The Protection of Personal Information Act (PoPI) has been the cause of much concern in the South African business landscape. Promulgated in 2013, it has not yet come into effect entirely, but once it has been implemented businesses will have one year to comply with the regulations laid down in the Act. Intended to give effect to the constitutional right to privacy, PoPI’s main aim is to prevent the unlawful disclosure of personal information and to ensure that all South African businesses conduct themselves responsibly when collecting, processing, storing and sharing personal information.
In effect, PoPI declares personal information to be a precious commodity, and grants individual’s certain rights of protection and the ability to exercise control over information that is personal. What does this mean for businesses? South African companies are going to have to make some serious changes when it comes to their record and data management policies. While PoPI’s requirements might appear to be onerous at first glance, it must be borne in mind that the end goal – protecting personal information that is of business value – is a worthwhile undertaking for businesses and the journey of achieving PoPI compliance will unlock a number of benefits.
When it comes to personal information (any information that relates to an individual’s identity, contact details, gender, race, criminal record or financial and educational information to mention a few) businesses are going to have to rethink their processes and strategies. PoPI requires that personal information of individual and juristic entities be sufficiently safeguarded and used in a manner that facilitates transparency regarding the types of information that can be processed and for what purpose. PoPI regulates how information is used, the manner and reason for which it is processed (through the information management lifecycle, from collection, to usage, sharing, disposal and archiving) and also regulates who such information is shared with.
Whether the Protection of Personal Information Act is a friend or foe might seem to depend on which side of the fence you’re sitting on. The reality is that PoPI will be enforced and while the date might not be set in concrete, it’s better for organisations to think about compliance now before it becomes a matter of urgency. From an IT perspective, many organisations have the tendency to think it’s an IT problem, therefore IT should be accountable for presenting a solution. This is misguided because while IT will make it easier for a business to manage and adhere to PoPI’s requirements, IT is not in itself the panacea for the challenges of PoPI.
For businesses, achieving compliance with PoPI might seem complicated but with the right advice and approach it is possible to start with the basics now in order to build a foundation for compliance in the future. For organisations that process any personal information, this means rethinking record and information management policies in order to fulfil obligations imposed by PoPI. Businesses will only be able to collect information as it relates to a specified purpose, and consent will need to be obtained before the information can be collected. As such, businesses will have to take reasonable measures to secure the information gathered, but may not keep it for longer than is reasonably needed. They will thus be required to implement a retention and deletion policy within a bigger data management framework. On the other hand, individuals will now have the right to request access to their personal information held by business entities, including the nature of such information, as well as details of third parties that have shared in their information. The implications of such rights will mean that businesses will need to locate personal information and have an associated history of that information’s usage. This becomes complicated when personal information is contained in correspondence (like email) or is paper-based, or has already been archived. In short, PoPI has highlighted the need for South African businesses to handle and manage their data better and more effectively.
Unlocking the benefits of PoPI
With the correct legal advice and an appropriate data storage and management system implemented in the IT environment, it is possible for organisations to start unlocking the benefits of PoPI. This requires a change in mindset that will see data take its place as the lifeblood of every organisation and guarded jealously. Why? Because data is the only thing in a business that cannot be replaced. It is possible to replace the people, the network, the infrastructure and the equipment, but data cannot be replaced and as such has an intrinsic value to the business. Organisations need to start thinking about managing their data better, not just because legislation tells us to do so, but because doing so makes good business sense. Instead of implementing isolated solutions for gathering, processing, backing up and archiving information, businesses should implement a unified platform for data management. This makes PoPI compliance attainable.
Partnering with a trusted data management solution provider in a vendor-neutral, locally-hosted data centre is a smart move, because a unified platform will make the processes more streamlined and cost-effective. Such a platform will make it easy to gather, process, retain, back-up, archive, expire or place certain information on hold. A cohesive management platform catalogues and indexes every piece of data it touches within an environment, making it easier to locate and manage. In addition to protecting clients’ and customers’ personal information and maintaining business integrity, once organisations are collecting and managing data more effectively, they’ll be in a position to leverage that information.
Many businesses in South Africa may still be dragging their feet when it comes to adhering and following regulations set out in the PoPI Act but its implementation is imminent. Businesses should consider partnering with right data management specialist in preparation of the enforcement of the PoPI Act. Furthermore, they will be able to turn what may see as an onerous exercise into one that delivers real value.