The Protection of Personal Information (PoPI) Act was signed into law in 2013. It has been introduced to promote the protection of personal information and to finally provide South Africans rights over their data and who can access it.
One of my responsibilities at SecureData has been look into to implications of PoPI, what it’ll mean to our end users and how we might use the introduction of this act to drive the sales of technology through the channel.
Before seeing the act there was an assumption on my part that this was going to be a standard much like PCI that will dictate to business exactly how they should be protecting this sensitive data. Of course what we’ve got now is a piece of legislation which is far from that.
PoPI is largely about people and process. There is little or no direction provided as to the sort of technical controls that should be applied to protect personably identifiable information (PII). Certainly interpretation and implementation of the act will be different for every party and that is where we, as security thought leaders are aiming to add value to our resellers.
There’s still much we don’t know about how or even when PoPI will be enforced but for sure, every industry will be affected by PoPI so we need to be strongly emphasising that the time for actions is now.
The 1 year deadline is a giving business an excuse to delay implementing additional measures but we as trusted advisers, should be referring to the introduction of similar data protection laws in other regions. The UK Data Protection Act and the US HIPPA laws came with a three year lead in period for compliance and it is my opinion that the one year grace period provided by PoPI should not been seen as a reflection on its complexity to implement but rather as an urgency to bring all business in line with the rest of the world without further delay.
Rather than seeing it as a burden, we should be promoting and celebrating this piece of legislation. It finally provides South African’s a constitutional right to privacy and brings us in line with the data protection laws of the other developed nations and makes us a more appealing place for international companies to do business with.
The introduction of PoPI now simply provides an additional platform to address strong the Data Protection practices and systems that SecureData has already been promoting. Implementing such technical controls will not only transition businesses from a reactive security approach to a proactive risk management model but will also provide massive value to ensuring compliance with PoPI and the protection of PII.