At a recent conference held in September 2017, professor HB Klopper of Monash University spoke about how organisations can turn the “burden” of having to comply with the POPI Act into a competitive advantage.
Klopper stated that the core purpose of the POPI Act is to provide parameters for South African organisations for the collection, processing, and storing of information. As well as the sharing and updating of any personal information supplied to the organisation. POPI ensures that organisations are held accountable for any loss or abuse of personal information that they possess. It protects what organisations value in their business by preventing identity theft and the abuse of information when disseminating. This protects one’s database – a valuable asset in any organisation.
How to turn the “compliance burden” into a competitive advantage
Klopper suggests that one considers the relationship between compliance with governance, legislation requirements, and risk management a competitive advantage. Moving on from this, the challenge is not just to create, but also to sustain a competitive position.
How to turn competitive advantage into sustainable competitive advantage:
Establish a multi-functional steering committee
This is where compliance comes in. Whether it is compliance with a code of governance or with a piece of legislation, experience has shown that value can be both created and destroyed through an appropriate, value-adding approach to compliance or an inappropriate, value-destroying approach.
Plan and budget for implementation of your privacy programme at work
- New or enhanced products or services
- Improved operating processes and procedures
- Increased customer, supplier, partner, investor, and employee confidence
- Superior reputation compared to competitors who can’t demonstrate a similar level of compliance
- Ability to enhance the customer’s compliance status through being compliant oneself
- Ability to compete where compliance is a requirement
- Ability to demonstrate characteristics not normally associated with the size of one’s organisation
- Brand and reputation enhancement
- Creation of value-adding media coverage through early adoption of compliant behaviour
The hidden benefits of complying with POPI
- Complying with POPI ensures control regarding the access and use of personal information
- POPI forces businesses to handle and manage data better and more effectively by implementing a unified platform for data management. This ensures improved quality of data.
- Complying with POPI improves customer relationships. Customer satisfaction increases when customers know that their information and interaction with organisations are secure and protected.
- Having information in a centralised location, using cloud technology for instance, allows for faster access from anywhere and improves processes which enhance customer experience
- Automation of data processing also carries additional benefits such as speeding up the application and approval process.
- The process of complying with POPI can improve the overall management of the business. While an organisation is reviewing the existing systems for information sourcing, processing and storage, there is great potential to spot and correct any inefficient systems.
- Potential clients can complete an online application and receive approvals within minutes, as various data models allow for instant connection to statutory bodies for the verification of the applicant’s address, financial status, legal status, credit record and more.
- Although this “easy access” may sound alarming and counterproductive to POPI, the POPI Act’s security mandates also mean that, while this information can be readily accessible with the right tools, it must also be handled responsibly and safely.
- Cyber security becomes a priority for businesses that automate and centralise data – particularly when making use of cloud technology.
- In an effort to avoid fines, penalties and even imprisonment, depending on the severity of the violation, companies become more proactive with regards to security.
- Companies ensure protection by governing and managing various rights, facilitating and controlling access, and monitoring user activity.
The manifestation of POPI in organisations
Shreddig becomes crucial in the aftermath of POPI, since it focuses on the effective destruction of personal information.
Employees need to be trained to demonstrate that organisations take privacy and data protection seriously.
Protocols need to be established to deal with the processes, strategies, encryption, and safeguarding of data.
Organisations need to demonstrate international competitiveness to prove to investors and other stakeholders that the organisation respects one’s right to privacy.
4 Common Misconceptions
Klopper identified four common misconceptions of the POPI act. These are:
Organisations are led to believe that privacy policies, notices, consent, and choice forms are the most important aspects to establish the base of privacy compliance
- The above principles tend to lose their value if they aren’t integrated into a more comprehensive approach to privacy. This includes capabilities such as data management, risk assessment, governance, risk and compliance frameworks, and IT security and control practices amongst others.
- The biggest challenge for an organisation remains its ability to prove compliance to the Act. This brings forth the challenge of enforcement and the expected measurement thereof, not only to the organisation but also to the parties responsible for audit compliance.
POPI is the concern of the human resources department and only applies to those working in said department
- POPI affects the procurement, customer service, and IT departments. It has to be integrated into the entire organization to become interwoven into the entire organisation.
- An organisation’s suppliers also need to comply with POPI, especially when it comes to the personal information of the organisation’s clients.
The protection of personal information is the same as confidentiality in an organisation.
- POPI is about privacy – which is beneficial for organisations – and prevents the unlawful disclosure of personal information.
- POPI ensures that all South African organisations conduct themselves responsibly when collecting, processing, storing and sharing personal information
- POPI regulates how information is used, the manner and reason for which it is processed (through the information management lifecycle, from collection, to usage, sharing, disposal and archiving) and also regulates who such information is shared with.
POPI has something to do with BBBEE.
POPI is part of the Consumer Protection Regulation, whereas BBBEE is part of the Economic Empowerment Regulation. Both the Economic Empowerment Regulation and the Consumer Protection Regulation form part of Governance and Compliance.
8 Conditions mandated by POPI for the lawful handling and processing of information
Organisations are accountable for the manner in which information is handled, processed, and disseminated. The client’s consent is required before any personal information may be shared.
2. Processing limitations
Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
3. Purpose specification
Personal information may only be processed for specific, explicitly defined, and legitimate reasons.
4. Further processing limitations
Personal information may not be processed for a secondary purpose unless said processing is compatible with the original purpose
5. Information dissemination and quality
Information needs to be accurate and well maintained, and only accessed or used by those who, by law, require access to the information
The data subject must be aware that the organisation is collecting such personal information, as well as why the information is being collected.
7. Security standards
Personal information must be kept secure against the risk of loss, unauthorised access, interference, modification, destruction, and disclosure.
8. Data subject participation
The data subject may enquire where personal information is stored, as well as be involved in the correction and/or deletion of any personal information.
The value of complying with the POPI Act
Although complying with the legislation will affect an organisation’s bottom line, these costs are significantly less when compared to the fines potentially placed on transgressors.
POPI can also act as a driver to address the latest market and consumer requirements and can help organisations with the fulfilment of existing responsibilities, retaining clients, and innovating products and services.
Practical applications to be considered by organisations
Organisations should compare the reality of fines and penalties resulting from non-compliance with the POPI Act with the benefits of privacy as a value proposition to business.
Complying with the act will instil trust between the organisation, its clients, suppliers, and employees, resulting in an established business value. Klopper states that the data subject must be aware of the purpose for which any personal information will be used, and know that it will be destroyed after this purpose has been achieved.
Organisations should ensure that the correct safety measures are in place to keep data confidential and unaltered – this requires an investment in the best possible security systems and processes, as well as the training of staff.
Organisations must comply with consumer requests for the updating or deletion of personal information (such as ID numbers and contact details) and special personal information (such as gender, race, religion, criminal records and medical history.
Every organisation must create its own effective and appropriate privacy policies and practices in order to protect the personal information of data subjects at all times. An organisation should also provide evidence of its efforts of dealing with privacy risks and mitigations
Klopper, H.B. (2017). Unlocking the hidden benefits to business. In: POPI – Protection of Personal Information. Johannesburg, pp.3-23.