Information protected: the PoPI way

As the implementation date for the Protection of Personal Information (PoPI) Act looms, companies need to review how they gather, process and retain personal information, or they could face hefty fines and irreversible reputational damage.

If the Facebook-Cambridge Analytic data scandal taught the world one lesson, it is that consumers are more sensitive to personal information and governments are backing them. Facebook harvests consumer information for various reasons, including providing a better user experience.

However, in 2014/15, the social media giant allowed an app on its site from Cambridge Analytica, which harvested information from consumers, without authorisation, to target United States voters with personalised political advertisements. The personal information of more than 50-million people was compromised.

In 2018, Facebook was fined £500 000 (R9 million) for this breach. The incident took place before the European General Data Protection Regulation (GDPR) was implemented. Had it occurred after this, the fine could have been £17 million (R306 million) or four percent of global turnover, which for Facebook is £1,4 billion (R25 billion).

Similar to the GDPR, the South African PoPI Act requires companies to protect the personal information of employees and customers. It states that personal information remains the “property” of the individual. Companies, therefore, need to have the individual’s permission to gather and retain the information.

The Act provides numerous conditions for processing personal information, including processing limitations, purpose specification, openness and security safeguards. Companies, for example, need to disclose why they need specific information, what the information will be used for and how long the company plans to keep the information.

Personal information includes the individual’s contact details, demographic, personal history and communication records, but can also include payroll information, curriculum vitae, CCTV records and performance reviews.

If a company is found to have breached the Act, it can be fined up to R10 million and/or a jail sentence can be implemented. This does not take into account the reputational damage that a company faces. The act requires “openness” or transparency, which means a company must disclose to its employees or customers when personal information has been compromised or hacked.

Reputational damage is especially concerning with more consumer awareness. In an article for technology news website Tech Central, Alison Treadaway notes that data breach complaints increased dramatically after the implementation of the GDPR, which is partly due to the media attention given to the legislation.

She writes: “In the United Kingdom alone, there were 19 000 complaints from members of the public about privacy breaches in the six months after GDPR came into effect, versus just 9 000 in the same six months the previous year.”

A similar outcome can most likely be expected from PoPI, which has received substantial exposure. However, companies need not panic. While an organisation is responsible for protecting personal information, it will not be held liable if information is hacked, as long as the company took the necessary precautions and met the conditions outlined in the PoPI Act.

Unfortunately, the Act fails to provide practical steps to meet these conditions. The Small Enterprise Employers of South Africa (SEESA) suggests the following:

• Establish standards for processing and safeguarding personal information;

• Establish review policies to ensure compliance;

• Provide employees involved in processing information with the necessary training;

• Keep records of processing activities;

• Implement a system to access personal information to review, correct or delete information;

• Provide complaints handling procedures; and

• Determine effective management and reporting of security compromises.

Companies can start by reviewing who accesses personal information and how, by providing new clients with consent forms and by updating software security such as firewalls. Preparing for PoPI is vital for businesses to avoid being found to be negligent … or they might feel the full force of the Act and angered customers.