Bookmark Email Print this page

The Protection of Personal Information Bill – more than just compliance

POPIFor the first time South Africans will have their constitutional right to the privacy of their personal information enforced. The Protection of Personal information Bill (PPI) will bring South Africa in line with international data protection laws and at the same time will protect personal information collected and processed by public and private organisations.

Personal information privacy presents a growing challenge as organisations must adapt and comply with complex international laws on how they handle personal information. The Bill requires organisations to establish appropriate policies and procedures to protect the various forms of data that are part of their business operations.

Deloitte approach each matter with the view to providing workable, practical PPI solutions – underpinned by the focus of building trusted partnerships with our clients. 

Understanding the importance of PPI
Challenges clients face with PPI
The first steps to becoming PPI compliant
Identifying value-adds beyond minimum compliance
The Deloitte offering
Benefits to your organisation

Understanding the importance of PPI

If you process information such as names, addresses, e-mail addresses, ID numbers, employment history, health data that are associated with an individual; or if you outsource your data to third parties, your organisation will have to comply with PPI. All organisations have personal information about shareholders, employees, customers, suppliers so PPI affects every area of your business.

Organisations should consider:

  • The limited time to comply
    The Bill should become an Act in the next three to six months. Business will be given a year to comply, but the full compliance procedure could typically take up to three years.
  • International privacy laws
    Several countries already have strict privacy laws. If your clients are doing business internationally, they are probably already in breach of the privacy laws in those countries.
  • System changes These changes often require reloading or rearrangement of information. This may be an opportune time to implement aspects of PPI.

Non-compliance with the provisions of the Bill may result in criminal fines, civil liability and complaints to the regulator.

Challenges clients face with PPI

  • What are the first steps?
  • Who in the organisation should be responsible for PPI?
  • Where is the applicable information located?
  • In what way does PPI affect my internal and external processes?
  • What do I need to do to comply?
  • How should non-compliance be handled?
  • What is the cost of compliance?
  • How do I reduce the costs of storage, administration and management of data?

Back to top

The first steps to becoming PPI compliant

There are fourteen information protection principles which establish minimum requirements for the processing of personal information which should be considered before you become compliant:

Collection

  • Personal information will have to be collected directly from the person involved

Processing

  • Consent from the individual will be required before the information can be processed
  • Personal information must be updated to remain accurate and complete
  • The processing of information for direct marketing is prohibited unless the company gets consent from the person involved
  • A person’s information can only be sent out of South Africa if it is to fulfil a contract between the individual and the firm, is required by law or consent has been given
  • Individuals have the right to request confirmation of their data from a company as well as make corrections to that information

Purpose specification

  • Data can only be collected for a specific, explicit and lawful purpose
  • The processing of personal data must be compatible with the stated purpose of collection or must be legally complaint
  • Personal information related to sensitive issues like race, health or politics have their own distinct rules under this Bill

Further processing

  • Personal information that will be processed further than the initial purpose of collection must comply with the conditions

Retention requirements

  • Information cannot be retained for longer than necessary and will have to be destroyed

Data and quality integrity

  • Companies will be responsible for the security and integrity of data
  • Security measures have to be put in place if a third party processes information on behalf of the company

Destruction and archiving

Back to top

Identifying value-adds beyond minimum compliance

Organisations can gain significant business performance improvements by approaching the Protection of Personal Information Bill as a strategic opportunity rather than a compliance cost. There are advantages to be gained within a company, for example:

  • Technology gets the budget go ahead for middleware and data warehouses, new SAP modules, data security upgrades etc, which add value when linked to the overall business strategy.
  • Select technology to support more than just data integration eg. Option ranging from cloud to separate software and simple upgrades.
  • Build a customer-focused organisation by digging deeper into existing customer data
  • Valuable information around customers and markets can be obtained through data analysis of personal information for purposes of PPI compliance
  • Employees’ files are updated and remain up to date.
  • Organisations who lead the market in becoming PPI compliant will earn customer respect and loyalty
  • Valuable insights can be found in an organisation’s existing database, ahead of customer requests for their data removal

Back to top

The Deloitte offering

Data is any company’s greatest asset – its value needs to be optimised within the framework created by the law, corporate governance requirements and customer expectations. In addition, clients that begin this project now can be positioned as front runners in the data privacy space, giving them a competitive advantage. Deloitte is able to offer the convenience of a flexible, integrated multifunctional process by encompassing all areas related to the PPI challenge.

Click on the image to enlarge...

Back to top

Benefits to your organisation

  • Increases shareholder value / financial performance
  • Reduces risks – compliance, reputation, fraud, legal (penalties and damages)
  • Uncovers ‘unknown’ data stores for better enterprise-wide use to benefit the whole organisation
  • Convenience:
    • Deloitte will provide support and guidance through the whole PPI process
  • Global expertise
  • Security
  • Data analytics

In this way, Deloitte harnesses PPI into an opportunity which offers organisations more value through the compliance process.

Back to top

Featured content

  • PPI Podcasts
  • Is PPI a necessary evil or opportunity for value add?

Contact Details


Dean Chivers  
Email: dechivers@deloitte.co.za
Tel: +2711 806 5159


Daniella Kafouris
Email: dkafouris@deloitte.co.za
Tel +2711 209 8101