POPI: Protection of Personal Information
By now, most will have heard of POPI, or the Protection of Personal Information Bill. Principally, POPI's goal is to protect our constitutional right to privacy. This follows South Africa's recent trend of promulgating pro-rights, consumer centric legislation such as the Consumer Protection Act and the National Credit Act.
Most commentators believe POPI’s promulgation into law is imminent and I would expect it to happen in the next year. How does this effect ordinary Joe public and/or companies?
The logical starting point is to consider POPI's application, i.e.: will it even apply to me/my situation? That question will probably be answered in the affirmative regardless of whether private individual or juristic entity. Simply, if one is processing (using, storing, transferring) personal information (broad definition including most forms of data one would consider personal in nature, e.g.: race, gender, blood type, religion) then POPI will apply.
For the ordinary person what this means is that a regulatory body called the Information Protection Regulator (IPR) will be created to protect and enforce our right to privacy. The IPR should, in theory, be able to assist with queries, provide the public with advice, adjudicate disputes and enforce its decisions.
Conversely, for the IT director, in-house counsel and a plethora of other corporate individuals, POPI represents a significant amount of work and change. By now, most of this work (or the preperation and reasearch thereof) is probably done or well on the way. Penalties could be harsh and compliance will be a must for any individual or company processing any personal information.
As pointed out by auditing firm Deloitte, POPI can be looked at as an opportunity for a value add. Current policies, procedures and contracting methodology can be reviewed and re-aligned to reap maximum benefit from from our rapidly evolving regulatory law environment. Strategies must be fluid and management teams must be geared for change, particularly in the ITC, supply chain and banking industries where the transfer of data is immense.
In an effort to save cost and find a quick-fix, some businesses (particuarly those burdered with excessive beurocratic structures) may approach this task with a tick-the-box, compliance effort - these businesses will get zero value from the exercise and probably be unable to capitalize on any potential value POPI may be able to add to the company concerned.
POPI is a complex and far reaching piece of legislation, but it if one adopts an attitude of opportnity, there are areas of the proposed act that may work for certain individuals and orginisations if executed and marketed in the correct fashion.
Only time will tell whether the IPR will be a toothless animal or whether significant changes are on the horizon for the manner in which personal information is gathered, stored, transmitted and used.
Many companies rely on personal information for statistical analysis, strategic decision making and marketing direction. A common misconception is that POPI makes it unlawful to use personal information. This is not the case. POPI introduces measures and concepts aimed at regulating the use of this data, and presumably, to protect society from unscrupulous individuals and companies collecting and abusing this information.
Companies with solid internal structures and policies in line with POPI and the other recent consumer legislation should not suffer and should view current times of regulatory change as an opportunity to increase market share and aggressively approach the consumer centric society we find ourselves in.