By Wynand Smit, CEO at INOVO
Years in the making, the Protection of Personal Information Act is inching towards completion. With talk of it being ready for rolling out, potentially as soon as 2017, companies need to ensure that they’re shifting towards compliance or risk coming under fire.
Parliament has recently voted to appoint an Information Regulator for the Protection of Personal Information Act (POPI) and the Promotion of Access to Information Act (PAIA). The National Assembly also voted in favour of the nomination of the five candidates earmarked to run the regulator.
Although their appointment must still be approved by the President, the date that POPI’s remaining provisions will come into effect is likely imminent. So the provisions not yet signed into law will be finalised. As soon as that happens, companies will have one year within which to ensure that their business practices are compliant (with the potential for a maximum extension of three years.
Businesses that gather customer data or interaction history, i.e., personal information such as anything that can be used to identify an individual -identity number, company registration number, physical address, email address etc. will then have to abide by any restrictions regarding how this information can be processed according to POPI legislation.
The time it has taken to produce the legislation has been protracted, involving many stakeholders, and consumers have been taking it seriously – with markets shifting to a primarily online and mobile environment, those consumers are increasingly aware of the need for the protection of their personal information, and they want the companies with which they interact to take this responsibility seriously.
This long wait is almost over, and it’s apparent that companies will have to update, adapt or develop their business strategies in order to ensure compliance. For some, a year will scarcely be enough time for this, especially since it may involve entirely new business process design and development.
It will have an impact on almost all kinds of companies and sectors, as anyone who maintains databases or uses customer details for identification purposes will be required to get in line with POPI. Apart from the mandatory legal requirements, there’s the expectation from customers that companies should be ethical as well as responsible in the way that their information is processed.
In brief: POPI will require organisations to appoint an information officer (all organisations require one in terms of POPI), establish processes, set up/modify systems to ensure that
- data is constantly secured
- new data is appropriately handled
- old data is destroyed as it reaches end of life
Additionally, organisations have to notify persons of what information they hold, and how they intend to use it and verify that it was given voluntarily, confirm secure storage and ask how long it may be kept.
Business sector such as contact centres will have to engage sooner rather than later to address how their customers’ information is stored and processed; working with older legacy software, infrastructure and processes may not be adequate for this, so business plans for the months ahead need to address the strategy for becoming compliant, and also budgetary requirements associated with that.
Companies using vendors should be consulting with those vendors to ensure that they will not be penalized for third party software that may not be compliant – it should not be taken for granted that vendors and other third-party suppliers are taking steps towards compliance.
Ultimately, the customer will benefit, and, if customers are happy, they’ll keep coming back; POPI is an opportunity to identify problem areas and make them leak-proof for best-practice customer interactions.
This month's business articles sponsored by: