The data security industry welcomed yesterday’s announcement that the Protection of Private Information act has been signed into law. The bill makes new provisions for the security, handling, and storage of personal information of every citizen in the country, which means all businesses that collect information will have to comply.
Andrew Kirkland, Trustwave‘s regional director for Africa, says, “It is a great step forward in helping safeguard South Africans’ private information. The signing of the bill means that South Africa is taking an historic step forward in building defences against growing cyber threats.”
Other countries, including Australia, Canada, Britain, the Netherlands, and many others in the European Union, have had similar privacy laws for some time now. These have not only protected their citizens in cases where companies mishandle information due to negligence, but the laws have also presented new challenges for companies to develop their products in ways to comply with those laws.
As the world moves into an era where privacy – both on and offline – is a big deal, companies that comply with laws set forth by all countries stand a better chance of seeing their products adopted. Not only that, those that comply sooner also stand the chance of their products and services not needing many modifications when a country creates new laws.
And, yes, there are requirements for international companies to comply with the new South African law, when it goes into effect.
Drew van Vuuren, CEO of 4Di Privaca, says that the new law is very modern in its scope, comparing favourably with existing international laws, especially because it’s modelled on European data protection laws. Privaca has been preparing for the introduction of POPI for the last year, and will be providing privacy impact assessments for businesses in South Africa.
What businesses will be affected? Basically, any company that collects data on South African citizens, who are protected by the law. From a small, home-run business that has a list of clients, all the way to big multi-national corporations that have enormous databases. Privaca will offer the expertise to help those entities comply with the eight information principles of POPI. (Those being Accountability; Limits to processing of information; Purpose of information collection; Limits to further uses; Quality of information; Openness; Security of information; Data subject participation.)
van Vuuren breaks compliance down into five points.
- Assessing POPI status
- Define or redefine business practices that are in line with POPI requirements
- Measure effectiveness of current practices in relation to POPI requirements
- Set a roadmap for compliance
- Urgently take care of high-risk categories in current practices
Compliance will be crucial, especially when the information regulator does its annual audit.
There is some time to comply, though. Drew points out that the the act stipulates that organisations will have 12 months to comply, from the date the law goes into effect. Those who think that this is too little time to prepare aren’t alone.
“If the Justice Ministry, in consultation with the Information Protection Regulator feel that it is too restrictive it could be lengthened,” says Drew.
“Historically, when a new regulator is established, as in the case of the National Consumer Commission when the Consumer Protection Act was introduced, there is a period where the regulator tries to establish its credibility and ensure that it has the necessary clout to perform its functions.”
With POPI, the Information Protection Regulator will be established as the industry body, and act as the independent office to enforce all information privacy matters. The new regulator will have a big hammer, too. Depending on the case, those who fail to comply with POPI can be fined up to R10-million, or given a prison sentence of 10 years – but it’ll take time for all the kinks to be ironed out, to make sure the regulator has all its own systems up and running to enforce the new law.
The regulator’s authority won’t just be local. As mentioned, international companies will have to comply as well. In a few examples involving theoretical local and international businesses, Drew explains how POPI would be applied.
A local company that collects names, email addresses, and phone numbers of its customers – whether they are South African or not – and stores that information on its servers here in South Africa, will have to ensure that data collection and storage is done with the guiding principles of POPI. In the case of a local company doing the same, but hosting its servers abroad, POPI requires that those servers be situated in countries that have complementary legislation. That is to say, any country that has laws similar to POPI will be fine for local companies to host their servers, as that falls within the law.
Finally, any international company that offers services to South Africans, and has its servers based off shore, will also have to comply with the new local law. There is precedent here, too. Mobile messaging application Whatsapp was forced to comply with Dutch data privacy laws despite being developed by an American company.
So, if a new online service launches in South Africa it will be up to the owners of the service to make sure it complies with our laws. If the information is collected in South Africa and shipped off shore controls need to be in place to make sure it’s within the requirements of POPI. Failure to do so would see the regulator advising the company that it would be limited in the scope that it could conduct business locally.
That said, Drew says that international organisations generally agree to operate within the bounds of a geography’s laws.
While international companies generally comply, the issue will be with local businesses ensuring readiness by the time the law goes into effect, and for the regulator to be operational.
“The concern is that there may be resourcing issues locally [which] the regulator will face when policing the implementation, as there is a paucity of skillsets in South Africa [when it comes to understanding] the requirements and its complexities,” says van Vuuren.