What SMEs need to know about the POPI Act
POPI seems to be the new buzzword, but there is still much work to do in ensuring business owners know about the new legislation and how it will affect their businesses? The new legislation, which was passed into law last year, is government’s effort to regulate the collection, dissemination and use of a person’s personal information and ensuring that it is done with the knowledge and consent of the information owner.
One of the biggest impacts of the act will be how companies manage their data, one example is how a business conducts its marketing efforts, POPI will regulate how a business sends out communications to a database of potential or existing customers whether its through SMSes or emails promoting a particular product or service.
Compliance crucial to business’ future
For SMEs, the biggest challenge around POPI is a lack understanding around the difficulties associated with becoming POPI compliant, says John Mc Loughlin, MD of ICT compamny J2 Software. For SMEs, as with so many things in business, keeping things simple is critical.
“Becoming POPI compliant does not need to be a long and costly exercise”
Mc Loughlin believes that many SMEs are aware of the possible repercussions of not being POPI compliant, but are currently ignoring it and only acknowledging this in private and when it keeps them awake at night.
“Nobody wants to be the first test case and pay the first fine – so if presented with the right solution at a reasonable price, the uptake should jump rapidly,” he says.
Mc Loughlin says many forward thinking SME business owners will take the steps required to be compliant, and others will only consider it in more detail when they are sitting in front of the regulator while they are pondering their fine, watching their business fall apart in front of them.
“Becoming POPI compliant does not need to be a long and costly exercise. There are cost effective solutions available to the SME which will allow them to demonstrate their compliance to POPI and other general ICT compliance clauses almost immediately.”
Mc Loughlin suggests SMEs start with a policy that controls where and how sensitive information is stored and processed within the business and then enforce and report on compliance to these policies.
“The key is to have visibility – do you know what has changed? Who moved the data and where it was moved to?” he says.
For example, he says, if none of your employees need to work on sensitive data outside of the office, ensure that this data never leaves your servers, regardless of whether they are in-house or hosted. On the flip side of the coin, if your employees do need to work with sensitive data away from the office, make sure you know exactly what data is being used, when it is accessed and how it is protected.
“These are simple steps to not only ensure compliance but also give an SME business a more professional image” he says.
The challenges and benefits
According to security specialist Heino Gevers from Mimecast South Africa, a cloud solutions company that specialises in email and information management, one of the biggest challenges will be finding the necessary skills and tools to harvest the legacy of personal information that businesses already have in storage.
Other challenges that businesses could face include processing information in a compliant manner, retaining it for the appropriate amount of time, and making it accessible to the owner without exposing the business to any additional risk.
Gevers adds that South Africa does need this type of law as it provides guidelines for organisations to classify, retain and process information in a way that protects the consumer against identity theft, spam, and the general misuse of their personal information.
“The benefits could be huge with consumers being more willing to share information because know that their personal information will be managed responsibly.
“Consumers will therefore engage more efficiently with businesses, especially online businesses, sharing the required information needed to transact with them,” Gevers says.
Factoring in technology
Mc Loughlin says, technology is only one part of the equation.
“Technology is essential to the management of the data, and must cover specific business and legal requirements,” Mc Loughlin adds.
“Any solutions the business adopts, must not only improve their operations, but also ensure compliance with relevant laws and codes. It all comes back down to policy. Do you have a policy around information security and device and data usage? What is the policy? Can you show it to us (or to your staff)? And then how do you measure compliance and enforce it. Having a great laminated and beautiful policy is worthless if it is not enforced and measured.”
On the other hand, Gevers says if a business chooses not to use technology as a way to comply with the act, it will need to assure that strict manual procedures are in place to protect the organisation.
“All staff should be trained on the POPI Act and their role in ensuring the company’s compliance, but without technology, the reliance on staff to not share sensitive information via email or through targeted phishing attacks is increased,” he says.
Gevers says that companies can also approach the POPI act as a business function. “Compliance and governance are areas that every business should be well-versed in,” he says.
“The POPI Act will help ensure that the right amount of attention is given to these areas and that businesses are managing the data that passes through their systems responsibly,” he says.