OVER the past few months, many South African businesses have been scrambling to align their operations with the new Protection of Personal Information Act (POPIA).
That’s according to Muhammad Ali, MD and lead auditor of ISO standards training and implementation specialist WWISE, who said even non-commercial ventures like community Facebook and WhatsApp groups have posted questions to members to ensure they meet the requirements of the Act, designed to protect South Africans’ constitutional right to privacy.
“While many welcome the fact that mining of personal data and cold calls will be a thing of the past, POPIA will impact legitimate companies reliant on information to make ends meet,” Ali said, adding that some analysts had pointed out that direct marketing businesses are expected to take a hit, with the effect ultimately felt by consumers.
In the past, for example, it was easy for people to opt into a marketing message by simply responding “YES” in an SMS. POPIA now requires that consent forms are filled in and returned to the business so that it complies with the Act.
“For business owners, the situation presents a challenge and may appear overwhelming. But it need not be so.”
Ali said while POPIA may be the new kid on the block, data protection laws are already well established in South Africa and compliance mechanisms in place to meet regulations. “The International Organisation for Standardisation (ISO), a certification carried by the country’s leading companies, is globally recognised and as such, carries considerable weight with regulators.”
Among the ISO offerings is ISO 27001, which contains the requirements and tools to assist in mitigating the risks associated with private information within organisations. In other words, the perfect vessel to navigate POPIA’s unchartered waters.
Ali acknowledged that advancements in technology should raise questions about people’s safety online and how their private information can be protected. But he said he also recognises the value information holds for established businesses fearful of what POPIA might do to their operations.
“It does sound like a disaster waiting to happen, but it’s not the case at all if organisations introduce information management systems like ISO 27001,” which he descrived as a family of standards developed to provide a framework on which an information security management system can be successfully implemented.
“It focuses on protecting the confidentiality, integrity and availability of the information in a company by applying a risk management process.
“This gives assurance to all parties that risks are competently managed while helping any business comply with the POPI Act. Applying a security management system gives confidence to all interested parties that risks are adequately managed.”
According to Ali, there are six clear steps that an organisation should take to comply with POPIA.
The first is to appoint an information officer. Secondly, a privacy policy needs to be drafted. The third step is to create awareness about the Act among all employees. Once this is done, contracts need to be amended.
As a fifth measure, any data breaches need to be reported to the regulator and the people whose private information has been implicated. Finally, any transfer of personal information needs to be undertaken legally.
Having dealt extensively with existing privacy laws, Ali has seen first-hand how the implementation of ISO 27001 can actually benefit a business or organisation.
“You’ll find it becomes easier to comply with other necessary regulations, and also provides opportunities to gain a competitive advantage,” he said.
“There are other advantages, too. Not only do customers feel safe and more confident in returning, but there is more consistency in a business’s internal processes. By building a culture of accountability and security, the company and all its shareholders are protected.”
Ali and his team assist businesses by assessing their information and making recommendations on how best to handle it.
Based on their findings, they will be able to offer advice on the circumstances under which the business may process information, the duration they may process it, how the information must be maintained and secured, and how and when it should dispose of the information.
“Furthermore, we assist in closing the gaps by way of administrative alleviation. We do this by working with your process owners to understand the requirements and conditions for your business.
“Ultimately, this enables you to take control of the protection of data, keeping the information of all stakeholders safe.”
Once the process is complete, a third party regulatory body undertakes an audit of the business to safeguard the investment in documenting, implementing and maintaining the information security management system.