POPIA – one year later
Nadia Verappen, Compliance Officer, Compli-Serve SA
Typing in your ID number at record speed is a newly acquired skill as organisations seem to abandon a risk-based approach in fear of retribution from the Information Regulator. There is not a single form of communication from an organisation that does not require a password in an attempt to avoid the exploitation of our personal data. So, one year later, how has South Africa’s new era of privacy faired? As we all clambered towards compliance with POPIA regulation, what has changed apart from the password debacle?
POPIA is intended to give individuals increased control over how their personal data is collected and used. In doing this, it also opens new risks for organisations that handle personal data. Yet, despite this and the increased controls in place, storing and selling personal data is still a booming industry.
Unfortunately, industries that store valuable information like the healthcare and finance industry are the main targets for hackers. As hackers and scammers use social engineering, phishing scams and your social media account against you, organisations are spending fortunes on firewalls, cyber security, and data experts in developing processes to keep information secure.
The battle for data privacy is hard fought and often lost even by big organisations, like Dischem and credit reporting giant TransUnion. As the war against data privacy breaches rages on, the visibility of the Information Regulator is being questioned.
Despite the lack of fines and our inability to register Information Officers via the Information Regulator’s website, this is in line with international standards as it took almost two years for the first General Data Protection Regulation (GDPR) fine to be issued. As we look to the Information Regulator who is empowered to monitor and enforce compliance by public and private bodies with the provisions of the POPIA Act, we wait for them to continue to develop their framework.
This provides further opportunity for organisations to stress test the robustness of their POPIA controls by assessing privacy risks that exist throughout their processing activities, and to perform personal information impact assessments that ensure adequate safeguards are implemented to mitigate such risks.
While doing this, organisations must take heed that the Information Regulator has extended the reach of its regulatory mandate functions with the inclusion of the Promotion of Access to Information Act (PAIA). This is in relation to the main objectives of PAIA, which are to promote transparency, accountability, and effective governance of all public and private bodies. This will further assist members of the public to effectively scrutinise and participate in decision making by public bodies.
Furthermore, PAIA ensures that the state promotes a human rights culture and social justice. The aim is that the inclusion of PAIA will encourage openness and access to information in an expedient, cost-effective and consumer-friendly manner.
While there is no doubt that fines are likely to change policies and practices and will provide a sense of urgency to those who are lagging in compliance, the time for better governance for technology and data collection was yesterday.