We are not Google, so why should we care about data privacy?
Let’s not beat about the bush. Complying with data privacy laws can be expensive and POPI is no exception. So it is not surprising that small business are balking at the idea of spending 5 figures on data privacy, particularly if they don’t think that their primary business is processing data. While I don’t blame them (nobody wants to do compliance), their attitude is built on some pretty big assumptions. And you know what they say about assumptions…
#1: All POPI projects are expensive
Nope. POPI is built on the notion of reasonableness. You have to keep data reasonably secure, reasonably accurate, notify people when you collect their data if it is reasonably practical etc. The word is used about 80 times.
What does this mean? What is reasonable for a big business like Google (or Alphabet as they are now called), is not reasonable for a 10-person financial planning or brokerage firm. Regulators the world over take the size of businesses and its resources into account when establishing what is reasonable. It also means that while compliance with data protection undoubtedly costs Google millions every year, it does not have to be the same for small businesses.
A risk-based approach is also advisable. This means that you choose the biggest risks first and tackle them one by one over time.
#2: Financial services companies are not in the business of processing data
The reality is that, these days, most businesses are built on data. Most of us use our customer’s data to sell them products and services and then we often use that data to develop new products and to market to them. Some even sell the data creating a new revenue stream (we discussed this in a previous blog).
So, everybody should pay attention to good data governance. What happens if you don’t?
Well, obviously you could find yourself face to face with the Information Regulator. This might lead to a fine, or she might tell you to stop doing what you are doing or change the way in which you are doing it.
You may have a breach. This will cost you money to address and may cost you customers, because they no longer trust you.
Often, the biggest problem is that other companies will not be able to do business with you unless you are compliant. In terms of POPI, companies are not allowed to share data with other companies unless they give a contractual undertaking that their data will be secure.
#3: This is a compliance exercise
It is no surprise that people view POPI as a compliance exercise. That is a pity, because compliance has a PR problem. The perception is that it costs money without adding value.
Good data governance isn’t like that, because it leads to massive operational efficiencies if it is done right. It will fix broken processes, streamline your application process and improve your data quality. Without good data governance using financial technology to its full potential (which is what your competitors are doing) becomes impossible.
So what do you need to do?
Learn about POPI. Find a compliance expert who believes in a risk-based approach and who will customise POPI compliance for your business. Don’t panic. POPI will probably only be enforceable in about 2 years. But don’t delay either, because a data breach can happen tomorrow and will have calamitous effects on your business, but more importantly, without good data governance you cannot capitalise on financial technology. Don’t be left behind!
