‘Digital denial’ about info bill

SA companies face challenges in implementing and complying with the Protection of Personal Information Bill and many don’t realise the legislation will apply to them when it is enacted later this year. By Craig Wilson.

Added by Craig Wilson on 3 July 2012.
Saved under In-depth, Top
Tags: , ,

Terence Kelly

Very few SA companies are fully compliant with the Protection of Personal Information (PPI) Bill, which is expected to be enacted as legislation later this year. Those that that don’t comply fully could face sizeable fines and individuals could even spend time in prison.

The legislation, which will enforce South Africans’ constitutional right to the privacy of their personal information, could also make it difficult for companies to do business outside SA’s borders.

Firms will most likely be given a year to comply after the PPI Act comes into effect. Dean Chivers, a director in Deloitte’s legal department, says it’s “one of these most difficult pieces of legislation for businesses to comply with” and there is an “astonishingly low level of adoption” by corporate SA.

“The law is imminent, compliance is challenging, and entities should’ve begun the process but haven’t,” he says.

Aside from complying with the act, Chivers says it is simply a matter of good corporate governance to deal with information about people in the right way and that it is in the best interests of all companies to employ good practices irrespective of their obligations to comply with the legislation.

The PPI Bill deals with data privacy and how companies manage information about people.

One of the difficulties in complying the legislation comes in the form of cloud computing. Chivers says the bill states that cross-border data flows can only happen if the company receiving or storing data outside the country has its own data privacy legislation with which it complies. Alternatively, it must comply with the SA law.

Dean Chivers

“Almost no companies in SA are compliant yet,” Chivers adds. “Outsourcing and cloud computing are good examples. Once [the PPI Bill] is passed into law, most existing arrangements will be noncompliant.”

Multinational companies are likely to be particularly hard hit by the legislation. “The world is getting smaller and compliance is important for international commerce and complying with other countries’ data privacy laws.”

Though the penalties for noncompliance have not yet been set, Chivers says there is talk of a maximum prison sentence of 10 years and the European Union is looking at fines of up to 2% of global turnover.

Terence Kelly, associate director in Deloitte’s risk advisory division, says companies should also be aware of the reputational damage noncompliance could have. He says companies will want to deal with other compliant companies rather than take the risk of not doing so.

“In the digital world, the economy is moving towards allowing instant access to information,” Kelly says. “That’s going to force people to put information into a accessible position for you to be able to do what you want to do with it, whenever and wherever you want it. That makes compliance difficult.”

He says many companies outsource human resources and payroll information, and even information from security checkpoints. “All of this data is applicable, and all of it needs to be considered.”

Some people don’t realise they’re passing on personal information all the time, says Kelly. Any company that handles data about individuals will have to comply in one way or another.

According to Kelly, there is “deep digital denial” in SA about the PPI legislation, with companies putting off compliance for as long as possible. He says the potential impact is enormous and companies selling information will most likely disappear unless they change the way in which they do business.

“If you’re a database management company with the right compliance in place, you will have a competitive advantage over companies that aren’t because the likes of the banks will only want to deal with you,” says Kelly.

Under the PPI Bill, direct marketing is prohibited without consent. Chivers says it’s going to become significantly more difficult for companies to sell their databases.

“The Consumer Protection Act allows consumers to opt out — you can be marketed to, but there must be an unsubscribe option — but the PPI Bill requires that consumers opt in. That’s going to make it very hard to create and sell quality lists of individuals for marketing purposes.”

Chivers expects companies to respond in one of two ways: some, he says, will wait until the last moment to comply, while others will comply as soon as possible. He says those that comply quickly will have a sizeable competitive advantage, particularly as becoming fully compliant in a year is “probably optimistic”, especially in the case of large companies.  — (c) 2012 NewsCentral Media

Share this article

  • http://pauljacobson.info pauljacobson

    Well, in some respects companies have been subject to similar rules for years now and have been taking risks not complying. On the other hand, even if the Protection of Personal Information Act is passed this year, it may not go into effect immediately.

    This doesn’t mean companies should be complacent (I believe a consumer can enforce POPI-style rights now under the Right to Privacy and in the context of case law interpreting the right) but companies should adopt a clear and decisive strategy to bring their data practices into line with POPI’s principles soon.

    That said, the sky isn’t falling just yet.

Why TechCentral?

We know that as a prospective advertiser, you are spoilt for choice. Our job is to demonstrate why TechCentral delivers the best return for your advertising spend.

TechCentral is South Africa’s online technology news leader. We don’t say that lightly. We believe we produce the country’s best and most insightful online tech news aimed at industry professionals and those interested in the fast-changing world of technology.

We provide news, reviews and comment, without fear or favour, that is of direct relevance to our fast-expanding audience. Proportionately, we provide the largest local audience of all technology-focused online publishers.

We do not constantly regurgitate press releases to draw in search engine traffic — we believe websites that do so are doing their readers and advertisers a disservice. Nor do we sell “editorial features”, offer advertising “press offices” or rely on online bulletin-board forums of questionable value to advertisers to bolster our traffic.

TechCentral, which is edited and written by award-winning South African journalists, cares about delivering top-quality content to draw in the business and consumer readers that are of most interest to technology advertisers.

We’d like the opportunity to demonstrate the value of directing a portion of your advertising budget to TechCentral, whether your company is in the technology field or not. Numerous opportunities exist for companies interested in reaching our audience of key decision-makers in South Africa’s dynamic information and communications technology sector. We offer packages that will deliver among the best returns on investment available in the online technology news space.

For more information about advertising opportunities, and how your organisation can benefit by publicising itself on TechCentral, please call us on 011-792-0449 during office hours. Or send us an e-mail and ask for our latest rate card and brochure.