PPI Bill compliance speed up
Although the PPI Bill becoming a reality for South African organisations has been debated for a while now, the President’s signing the Bill into law seems imminent.
Johannesburg, 15 July 2013 - “Considering the Bill has been passed by the National Assembly Portfolio Committee, and approved (subject to some minor amendments) by the Council of Provinces, the President’s signing the Bill into law seems imminent,” says Daniella Kafouris, privacy leader at Deloitte Legal, commenting on the results of the ITWeb/Deloitte PPI Bill Survey, which ran online for 14 days during June.
According to the survey 41.11% of respondents have not started complying with the PPI Bill as yet.
“With only a one year period provided to achieve compliance, those companies who have yet to start compliance steps will struggle to become compliant in time. Non-compliance not only has significant penalties, including fines and jail sentences, but it will also affect a non-compliant company’s ability to continue typical business practices like direct marketing, outsourcing and cross border data flows. It is strongly recommended that companies undertake a detailed gap analysis so that they can grasp exactly what they need to do to become compliant, what that will practically involve and how long it is likely to take,” advises Dean Chivers, director of Deloitte Legal.
When asked whether their organisation has appointed a privacy officer a small amount of respondents (24.44%) said yes they had, however a relatively large amount (56.67%) had yet to consider it.
Chivers explains, “It is a legal requirement that every company appoints a privacy officer. To not do so would be a contravention of the Protection of Personal Information Law. We recommend companies appoint a privacy officer sooner rather than later, as it provides a focal point for the implementation of the companies compliance process. It also facilitates the privacy officer becoming familiar with the practical implications of becoming compliant and understanding his/her role.”
Commenting on how organisations can benefit from having information security policies, processes and procedures in place Kafouris advises, “Security in respect of people’s data is something that all reputable companies have always considered as part of good data governance.”
The PPI Bill now legislates this governance requirement and therefore strong data security does not only address compliance with this new law, but also demonstrates a respect for peoples’ data and in turn enforces commitment to good corporate and data governance.
Just over half of the respondents (56.1%) stated that their organisation does have information security policies, processes and procedures in place, 10.98% said they have no data security to a high level, 12.2% only secure softcopy data and 10.98% only secure hardware data.
It also emerged from the survey that respondents (21.18%) regard systems that have not been secured correctly as one of the highest privacy risks to their organisations, however third party service providers and poor policy governance were also viewed as significant concerns at 16.47% and 14.12% respectively.
44.3% of survey respondents stated that their organisations do not transfer personal information across borders, while 27.85% said that they definitely do. Chivers elaborates on this finding, “The Protection of Personal Information Law is very much aligned to the data privacy laws in effect across much of the world, including the UK, the EU, Canada and Australia. All data privacy laws regulate and restrict the ability of companies to transfer personal information across borders. As this will be a new restriction to South African entities, one needs to start by understanding which countries your entity transfers data to, and then analyse their data privacy laws. This is the starting point to understanding what will need to be put in place to allow such cross border data flows to continue.”
“All South African entities need to understand that the Protection of Personal Information Law impacts, but all aspects of data management and utilisation. This means it affects almost every aspect of a company’s business operations. This includes the manner in which data is collected, what can be done with it and when it must be stored and destroyed. It also significantly changes the rules around common business practices like direct marketing, outsourcing, shared services and cloud computing, which is the first step to understanding what you will need to change in your current business processes,” Kafouris concludes.