Last night President Jacob Zuma signed into law another major consumer protection law, the Protection of Personal Information Act.
The new law calls for companies collecting data on consumers to take precautions when it comes to collecting, storing, and sharing information. One very basic application for this is in the telemarketing industry, where consumer information is currently freely passed around. Another area where POPI will apply is in the security of the storage of personal information. Any South African company collecting information on consumers would be required to store the information safely. Any hacks or leaks that are deemed to be preventable will leave the guilty company responsible.
POPI calls for strict rules to be followed for how companies share, store, and secure your information. Failure to do so will also result in either a fine of up to R10-million, or up to 10 years in prison.
A new office called the Information Regulator will be in charge of enforcing POPI. Among other things, this department will be responsible for dealing with cases of cybercrime where companies did not comply with POPI regulations for the secure storage of personal information.
There are also regulations that call for international companies to comply with local regulations. In certain cases companies abroad have been held to laws that apply in countries they operate in. Examples include messaging application Whatsapp, based in America, being found guilty of inadequate security measures by the Dutch data protection authority. Sony was also fined in the UK when subscriber information was leaked after the PlayStation Network was hacked in 2011. The British regulator found that the hack was preventable, thus Sony was held accountable.
It’s unclear when the POPI Act will go into effect in South Africa, but companies and individuals will have 12 months to prepare for compliance, after which enforcement will start.