Whether you’re a business or a consumer, you are impacted by the Protection of Personal Information Act (POPIA). Europe has even more stringent legislation in the form of the General Data Protection Regulation (GDPR), which becomes enforceable in May 2018. However, unless they’re doing business outside of South Africa’s borders, local businesses need to address POPIA compliance as their immediate concern, according to Deltalink CEO Gerrie Terblanche.
He says, “POPIA compliance affects every organisation, regardless of the business they’re in. It applies to all processes and activities where personal information is collected, managed, stored or shared. There is no magic generic solution for POPIA compliancy. Implementing an enterprise content management (ECM) solution is just one of the measures – and an important one at that – that can help businesses on the road to compliance.”
Terblanche urges businesses to take the first step towards implementing a system solution that will help them better manage the personal information under their control: “Nobody can afford to wait and see what happens, the POPI Act is in effect. It’s in the constitution. The draft regulations have now been published. Many businesses are taking a wait-and-see approach pending the outcome of the first test case. However, considering the seriousness with which the GDPR is viewed in Europe, this wait-and-see approach could be a very high risk one.”
Research by AIIM (Association for Information and Image Management) around GDPR shows that personally identifiable information (PII) data loss or exposure is largely as a result of staff negligence or bad practices, as opposed to inadequate technology or hacking. Not only does such a loss affect your business’s brand reputation, but it could mean incurring significant financial penalties if you’re found to be in contravention of POPIA requirements around PII. Which means that businesses have to get their own houses in order to keep staff, client and citizen data secure. But what steps can businesses take to ensure they’re compliant with POPI or GDPR type legislation?
Factors that businesses need to take into account include:
* Data export restrictions;
* Right to access personal information;
* Data in transit;
* Data portability;
* Right to be forgotten/erased;
* Privacy by design;
* Explicit consent; and
* Breach notification.
Terblanche cautions, becoming compliant with POPIA is not a simple process. “Simply configuring software alone isn’t enough, the user needs to use the system correctly to be compliant. We’re talking about governance policies, processes, people, technologies, training and monitoring – and there’s no one-size-fits-all solution and it certainly isn’t a templated approach.”
“While we address the digital content information management portion of the compliance framework, we work closely with duly qualified POPI consultants that design the overall compliance framework that’s a perfect fit for the business, depending on the nature of personal information that it uses. Facilitating the proper management of that information is key to keeping abreast of the compliance challenge.”
Policies for all areas of business that touch the POPIA requirements should guide the design of the enterprise information management system to monitor, track and manage all relevant information and processes.
Terblanche says: “Digitalisation of information and processes is key to ensure that the safeguarding and destruction of personal information is properly controlled, leaving an audit trail of all processes and activities that information is subjected to throughout its lifecycle.”
“Having a metadata driven system in place makes is easier to meet all of the requirements laid out by POPIA and its regulations, giving you a single viewpoint of data stored across different systems, network folders and other information silos, so that you can find, analyse, control and audit personally identifiable information.”
–Deltalink Consulting by Alison Job