IITPSA KZN Chapter webinar calls for moves to align with data protection, privacy legislation
With just a year’s grace to achieve compliance, organisations need to take proactive measures now to align with the guidelines of the Protection of Personal Information Act (POPIA). However, they should note that the Act should not be seen as a burden, and rather as an important set of guidelines to safeguard both businesses and their customers.
This is according to Sarisha Kisten, a practising attorney in KwaZulu Natal and the Managing Director of legal advisory Enyuka Consulting, who was addressing a webinar hosted by the KwaZulu Natal chapter of the Institute of Information Technology Professionals South Africa (IITPSA) earlier this week.
Outlining key pieces of data protection and privacy legislation – Europe’s General Data Protection Regulation (GDPR) and South Africa’s POPIA – Kisten said: “Compliance with data protection and privacy legislation goes beyond regulatory compliance, it’s about protecting your organisation’s reputation and people’s right to privacy. Personal data is a commodity which is often sold to data brokers. Whether people are using navigation services, adding their details to a Covid-19 registry or using biometric access systems, they are sharing personal information, and it needs to be protected,” she said.
Kisten said that data breaches could have devastating consequences. For an individual whose data was stolen, it could result in them having to change passwords frequently, enact credit freezes, conduct identity monitoring – and possibly being defrauded. For a business, it could negatively impact a business’s reputation through loss of brand value, loss of trust and potentially financial losses.
“The motive behind GDPR is to standardise privacy laws across Europe and protect citizens’ right to privacy – it is reshaping the way data is handled across every sector,” she said.
She explained that the GDPR applied to any company that stored or processed personal information about EU citizens – If your business offers goods and/or services to citizens in the EU, then you will have to consider GDPR compliance. Furthermore businesses will need to comply with GDPR even if they do not have a business presence in the EU but do business with EU citizens “South African businesses are urged to examine GDPR in relation their business operations to determine the applicability of the regulations,” she said.. Non-compliance with the GDPR could result in penalties which could be a costly mistake for businesses.
POPIA, which aligns with best practice legislation such as GDPR, commenced on 1 July this year and allows for a 12-month grace period until 30 June 2021 for organisations to comply. Kisten explained that POPIA aims to protect personal information processed by public and private bodies, set conditions or guidelines on how personal information should be processed, issue codes of conduct to regulate certain industries and how they manage personal information and provide for the rights of persons regarding direct marketing. The Information Regulator is tasked with monitoring and enforcement.
Kisten said that while POPIA made provision for fines of up to R10 million and up to 10 years’ jail time, enforcement would likely start with a notice of non-compliance issued by the Information Regulator, and that time would likely be allowed for any non-compliance to be rectified.
Kisten said it was important for organisations to understand what was meant by personal information and processing: “Almost all South African businesses keep information about staff and customers, and very few will be exempt from POPIA,” she said. POPIA will apply to any personal information that can be traced back to an individual – including photos, she said.
“Non-compliance could be raised by a breach, in an audit by the Information Regulator, or in a civil case. Organisations need become aware of the penalties, as well as the risks of reputational damage and losing customers and employees,” she said.
Kisten recommended that organisations should move now to become compliant with POPIA and other best practice data protection and privacy laws. She said the roadmap to compliance should start with the appointment of an information officer and/or a POPIA Committee, and then go on to analyse all data processing activities within the organisation. “Businesses must consider all facets of data processing in all divisions and all departments,” she said.
Related Post:
- Fundi Zwane launches her debut fragrance range, CAMAGU
- Trace X Gauteng Film Commission Filmmakers Competition Back For Fourth Edition
- Comfort Yummy For The Tummy
Organisations also had to train relevant staff on POPIA, she said. “Awareness is important, because it brings about a culture shift,” Kisten said.
There was also a great need for businesses to ensure that POPIA principles were integrated into contracts, procedures and terms and conditions. “POPIA measures need to be implemented throughout the business, and policies and procedures must be continuously reviewed and updated to remain compliant,” she said.
The IITPSA KZN chapter webinar on data protection and privacy was one of a series of webinars being offered to IITPSA members to share knowledge, network and keep members up to date with new developments. For more information on the IITPSA and its upcoming events, please visit www.iitpsa.org.za
Ends
Issued by ITP Communications on behalf of The Institute for Information Technology Professionals South Africa (IITPSA). For further information or images please contact Leigh Angelo or kabelo Phalane at leigh@tradeprojects.co.za or kabelo@tradeprojects.co.za