How will POPIA, The Protection of Personal Information Act, impact you?
At the end of June 2020, the State President announced that the major part of the Protection of Personal Information Act, often referred to as POPIA, will become law, effective from July 1, 2020. All role players affected by POPIA have till 30 June 2021 to ready themselves to formally conform to all the regulations in the Act. After 1 July 2021, contravening the regulations of the Act, may result in prosecution.
As certain n parts of the Act had already been approved in 2013, a lot has been written over the last few years about what the purpose of Act is, and what the impact on companies will be. The part approved in 2013 was primarily administrative, and had no regulations which could result in prosecution of anybody. The part approved from July 2020, however contains the teeth of the Act and can from July next year have serious consequences for failing to comply.
As the name indicates, the purpose of the Act is to ensure the protection of the personal information of all citizens of SA. Any company to whom personal information of a client, patient, member or any living person had been given, has the responsibility to protect and process that personal information as specified by the Act.
As indicated, a lot has been written about WHAT the Act requires, including functional aspects like:
- How must personal information be captured, processed and shared - When must personal information be deleted - The re-use of personal information for another purpose as what it was originally captured for - The reporting of any breach of personal information
Penalties if data breaches occur and more.
Less has been written about the HOW of the Act, meaning how you must ensure that you comply with the Act. Specifically, the technical aspects of the Act on how to protect personal information stored on a computer system has received less attention. It is specifically the Information Security aspects which has to be implemented on a computer system to protect against a data breach, which will let the management of many companies lie awake for the next year, and even after that. Clauses 19 to 22 are dedicated to the aspect of (Information) Security safeguards. You will have to implement such Information Security protection measures on your computer system to limit the risk of a data breach.
Large companies will probably get professional support from Information Security specialists, but small and very small companies usually do not have such funds available. In fact, many such small companies think that the Act does not apply to them! However, that is a very big mistake! Even if you are a bed and breakfast enterprise run by one person, the Act is for you too! Every person who collects and stores personal information of another person on a computer system (or physical file), has to ensure the protection of that personal information. Even if you just store some personal information of your domestic worker on your home computer, you are liable under the Act if that personal information is compromised in any way, and therefore you are required to implement necessary security safeguards.
Many small and very small companies have outsourced the management and security of their computer systems to some IT company. They may think that they can now also outsource their liability and accountability under POPIA to this company and let this company worry about it! However, the Act is very clear on this matter – the accountability, liability and responsibility remain with the person who collected the personal data. Therefore if you are the owner of a bed and breakfast enterprise who stores the personal information of your clients on your computer, you, as the owner, are liable under the Act if that personal data is breached, even though you have outsourced your whole IT system to the outside company - even if the computer on which that data is stored, is on the premises of the outsourced company! That means that if that IT company compromises the personal information of your clients in any way, the Act says the buck still stops with you! That of course puts a massive responsibility on you as the owner of the enterprise.
The bottom line here is that you as the owner will have to go into a formal agreement or contract with the company to which you outsource your IT systems. In this agreement you will have to get the IT company to formally commit to secure and protect your clients’ personal data precisely as required by the Act. Even if you have such an agreement, and your clients’ personal data is breached on the IT company’s systems, you are still liable under the Act.
Maybe you can now understand why it was stated earlier that the management of many companies will now have restless nights!
In the next issue, we will expand a little more on precisely what actions you should take in your enterprise and in your relationship with your outsourced IT partner.
View full document here.