The POPI Act has been enacted to safeguard and ensure data privacy. Regulations have been created to ensure data is not misused and that the necessary security protocols are in place to ensure privacy and protection. South African organizations should manage data responsibly when collecting, processing storing and sharing and the POPI act outlines the implications should this not occur.
Within the POPI Act, certain rights of protection are granted to third parties who share their personal information with companies or organisations. Some of these include:
- Consent as to when and how one chooses to share their information with third parties
- The accuracy of one’s information
- Immediate notification should one’s data is compromised
- The type of and extent of information one chooses to share
- Transparency on how a consumer’s data will be used
- Allowing one to have access to their own information
- The prevention of unauthorised people accessing one’s information; ensuring the privacy of one’s data
- How and where one’s information is stored
- The consequences for non-compliance
The fourth industrial revolution and a variety of new emerging technologies has led to the big data phenomenon and data becoming the most valuable possible commodity. Companies however use and abuse data wherein they steal and share your data as they please.
Cambridge Analytica used people’s data to conduct trend analysis and determine which party people would vote for in the Trump Campaign and Brexit. The POPI Act has been created to aid data privacy as well as enforce regulations surrounding data privacy. Recently the SARB has initiated the intergovernmental fintech working group to aid and establish regulations on emerging technologies. POPIA will aid businesses and consumers to ensure the protection of their data and defer the misuse of data. POPI also ensures that if a data breach were to occur, the effected parties are to be notified and can thereafter mend the damage that has been done. POPI will ensure that those who before acted in terms of a thin line/grey area with people’s data, no longer do so.
With 4IR and the emergence of various new technologies, a race has initiated wherein companies must participate or be left behind. Companies such as AWS have expanded and are growing in the South African market. Ensuring data security and compliance will aid the trust companies need to progress and initiate cloud adoption.
Many customers are not particularly phased in data collection and protection. Many people happily hand out all of their data and share this online. That being said, those who are aware of the act will remain cautious in this regard as you can never be too sure. Yes, now companies won’t misuse your data, but if hacked, an anonymous hacker will still misuse your data.
It is still early stages however, compliance is necessary and companies will not want to be fined. Companies will adopt the regulations to ensure adherence as if they did not, they would not only have fines levied against them, but this would be detrimental for brand image.
Do I feel that regulators are well-equipped to hold companies accountable for data mishaps? Definitely, if they possess the necessary expertise to uncover these mishaps and who was involved. Hereafter the necessary legal procedures would take place.
Those who breach POPI will be liable to pay a fine or potentially face imprisonment, not exceeding R10 million and 10 years respectively. However, I think the implications for breaching POPI are larger than that of the official consequences. Brand image will be tarnished and your company will no longer be trusted. If we look at Cambridge Analytica for example, their brand was destroyed by their use/misuse of people’s data. This also drastically negatively affected the Facebook brand.
The concept of POPI is a necessity in modern times. Covid-19 has also led to a race for digitalization and as more people work from home and vulnerabilities differ, the enforcement of regulations could not be more needed. The fact of the matter however is that hacking will still occur, people will still hide behind their devices and have anonymity and therefore, focus can rather be put on those with actual criminal intent as opposed to businesses who comply to these necessary regulations.
Read more BDO Insights