The Protection of Personal Information Act is a piece of South African regulation that has been spoken about at length over the better part of the past decade, but in recent years it seems like discourse over POPIA (or POPI) has died down slightly.
It really shouldn’t have though, especially with the far reaching effects of a similar regulation in GDPR is having a significant influence in how technology companies conduct their business and handle data.
POPIA is expected to prove as pivotal when it comes into effect, and as local technology asset disposal experts Xperien warns, the time has finally come for South African businesses to act upon it.
This as the proposed 1st April 2020 date (yes we thought it was an odd choice of date too) for POPIA to be finalised and brought to the fore inches closer. Added to this is the fact that chairperson of the Information Regulator, advocate Pansy Tlakula, has already sent a request to President Cyril Ramaphosa to bring the outstanding aspects of the POPIA into effect.
According to Xperien CEO Wale Arewa, after the aforementioned commencement date, companies will have 12 months to get their systems and processes in place to comply with the Act for the processing and storing of personal information.
“The POPIA Act will ensure that companies are responsible when collecting, processing, storing and sharing personal information and once the Act is effective, they will be held accountable. The penalties will be harsh, lack of compliance will lead to fines of up to R10 million and a jail sentence of up to 10 years,” he warns.
Speaking specifically to the storage elements contained within POPIA, the Xperien CEO notes that new corporate policies for data storage will be required, especially with piles of hard drives and SSDs lying around storage rooms and data centres.
“Disposing of old computer equipment used to be a mindless process, but those methods of the past are no longer an option with the introduction of new laws and regulations. The days of piling it up in storage or simply selling it off to staff or second-hand retailers or even dumping it in a landfill, are over,” he points out.
Data at end-of-life will become a massive challenge for most businesses, big and small, he adds. This as it is often assumed that once data has been marked for disposal, it no longer requires much attention. Arewa stresses that it is essential for data security and the protection of personal, proprietary and confidential information that data is permanently destroyed, deleted or erased from devices.
“Even using the old hard drives for target practice or drilling holes in them will not satisfy the prescriptions of the PoPI Act and nor does a factory reset,” says the Xperien CEO.
With POPIA looming once again, Arewa points to the expensive lessons that some companies have learned as a result of GDPR, particularly if local businesses do not want to incur massive penalties.
“It might make sense to have one compliance project that covers all bases, POPI and the GDPR alike,” he concludes.