Why complying with the Protection of Personal Information should be a priority
By now you have probably been targeted by a newsletter or blog from a law firm telling you to become POPI compliant. We have a slightly different approach, because we do not think that POPI should be the reason to take a close look at how your business treats personal information.
When will POPI come into effect?
There has been a lot of speculation about when POPI will come into effect. We asked the Information Regulator. She says that an effective date will be announced towards the end of the year. From the effective date, businesses will have a year to become compliant.
POPI makes it illegal to collect, use or store the personal information of consumers and businesses unless it is done in accordance with the rules prescribed in the Act. These rules will impact how information is collected, what it can be used for, maintaining the quality and security of the information and how and for how long the information can be kept.
It became clear in recent years that the proper treatment of their personal information matters to consumers, but why should it matter to the businesses using the information? Put differently, how can a business justify spending money on, and committing resources to, improving data governance? Because the risks created by not treating personal information with care is about much more than legal compliance.
For most businesses, personal information is an asset. Whether it is central to its services or only used for marketing, there is value to having personal data which is of good quality (which is one of the conditions of lawful processing) and is kept secure (another condition of lawful processing). The loss of or damage to this asset results (often directly) in loss of profit. Sceptical? Here is a phenomenal infographic about the biggest data breaches since 2015 and what they cost.
Good information governance will increase transparency which, in turn, will inspire trust in the business. When it comes to sharing personal information, customers are often swayed by whether they can trust a business or not. Viewed this way, it becomes something which is marketable and may lead to increased business.
Privacy has become increasingly important to consumers as the internet started playing a central role in their lives and how they interact and transact with companies. Privacy breaches result in losses in profit, but also affects consumers’ trust in the company. When consumers do not trust a company, they are less likely to give them their information, or may provide inaccurate data.
Good information governance can lead to a reduction in operational costs. Investigations into the lawfulness of processing often uncover inefficient processes which can be addressed to be more cost-effective.
Achieving legal compliance brings with it a reduction in the risks of restrictions on processing activities, fines and lawsuits. POPI will establish a new Information Regulator who will have wide ranging powers to prohibit the processing of personal information which it deems unlawful. It can also impose administrative fines of up to R10 million. Last but not least data subjects will be able to bring claims for damages against offending businesses and POPI provides that the Information Regulator can bring these claims on their behalf.
Training and awareness is a large component of any POPI compliance campaign. Or, in the absence of a campaign, it is a good start. Why? Training raises awareness, exposes risk and changes behaviour. More so than with many other pieces of legislation, the risks created by POPI can often be addressed through small adjustments in behaviour, rather than wholesale changes to a business’ structure or services.