How will POPIA, The Protection of Personal Information Act, impact you?
Prof Basie Von Solms
UJ Centre for Cyber Security
At the end of June 2020, the State President announced that the major part
of the Protection of Personal Information Act, often referred to as POPIA,
will become law, effective from July 1, 2020. All role players affected by
POPIA have till 30 June 2021 to ready themselves to formally conform to all
the regulations in the Act. After 1 July 2021, contravening the regulations
of the Act, may result in prosecution.
As certain n parts of the Act had already been approved in 2013, a lot has
been written over the last few years about what the purpose of Act is, and
what the impact on companies will be. The part approved in 2013 was
primarily administrative, and had no regulations which could result in
prosecution of anybody. The part approved from July 2020, however contains
the teeth of the Act and can from July next year have serious consequences
for failing to comply.
As the name indicates, the purpose of the Act is to ensure the protection
of the personal information of all citizens of SA. Any company to whom
personal information of a client, patient, member or any living person had
been given, has the responsibility to protect and process that personal
information as specified by the Act.
As indicated, a lot has been written about WHAT the Act requires, including
functional aspects like
· how must personal information be captured, processed and shared
· when must personal information be deleted
· the re-use of personal information for another purpose as what it was
originally captured for
· the reporting of any breach of personal information
-
penalties if data breaches occur
-
and more.
Less has been written about the HOW of the Act, meaning how you must ensure
that you comply with the Act. Specifically, the technical aspects of the
Act on how to protect personal information stored on a computer system has
received less attention. It is specifically the Information Security
aspects which has to be implemented on a computer system to protect against
a data breach, which will let the management of many companies lie awake
for the next year, and even after that. Clauses 19 to 22 are dedicated to
the aspect of (Information) Security safeguards. You will have to implement
such Information Security protection measures on your computer system to
limit the risk of a data breach.
Large companies will probably get professional support from Information
Security specialists, but small and very small companies usually do not
have such funds available. In fact, many such small companies think that
the Act does not apply to them! However, that is a very big mistake! Even
if you are a bed and breakfast enterprise run by one person, the Act is for
you too! Every person who collects and stores personal information of
another person on a computer system (or physical file), has to ensure the
protection of that personal information. Even if you just store some
personal information of your domestic worker on your home computer, you are
liable under the Act if that personal information is compromised in any
way, and therefore you are required to implement necessary security
safeguards.
Many small and very small companies have outsourced the management and
security of their computer systems to some IT company. They may think that
they can now also outsource their liability and accountability under POPIA
to this company and let this company worry about it! However, the Act is
very clear on this matter – the accountability, liability and
responsibility remain with the person who collected the personal data.
Therefore if you are the owner of a bed and breakfast enterprise who stores
the personal information of your clients on your computer, you, as the
owner, are liable under the Act if that personal data is breached, even
though you have outsourced your whole IT system to the outside company -
even if the computer on which that data is stored, is on the premises of
the outsourced company! That means that if that IT company compromises the
personal information of your clients in any way, the Act says the buck
still stops with you! That of course puts a massive responsibility on you
as the owner of the enterprise.
The bottom line here is that you as the owner will have to go into a formal
agreement or contract with the company to which you outsource your IT
systems. In this agreement you will have to get the IT company to formally
commit to secure and protect your clients’ personal data precisely as
required by the Act. Even if you have such an agreement, and your clients’
personal data is breached on the IT company’s systems, you are still liable
under the Act.
Maybe you can now understand why it was stated earlier that the management
of many companies will now have restless nights!
In the next issue, we will expand a little more on precisely what actions
you should take in your enterprise and in your relationship with your
outsourced IT partner.