The impending Protection of Personal Information Act (POPI) is an opportunity for South African corporates to enforce sound business practice across their interests and effectively 'clean house', says Anne-Marié Pretorius, partner at Bizmod.
Anne-Marié Pretorius
"South African companies are on the low-end of the spectrum when it comes to information security spend. POPI provides the motivation required to update the various aspects of business where personal information is impacted," says Pretorius.
Pretorius says that she's noticed a reactive strategy by many large companies when it comes to POPI. "Companies are adopting a 'wait and see' approach with POPI due to the fact that the regulator has not been appointed, and a deadline hasn't been set." Pretorius warns against this approach considering the substantial time and focus that POPI implementation requires. Failure to comply with the new act could lead to stiff punitive consequences.
International implications
Europe enforces strict POPI conventions, and as a major trade partner South Africa will need to follow similar guidelines, says Pretorius. "Increasing data security and quality, amongst other things will greatly benefit those businesses that rely on trade with Europe and the US."
Introspection
Pretorius says that breeches in security at a business level are not always external. "Often breeches in security come from the inside through the 'innocent' sharing of passwords, scribbling said passwords onto scraps of paper or leaving portals logged-on before leaving a work station.
"Education is a critical step in the adoption of POPI - specifically laying out what is and isn't acceptable in the workplace. A good example of this is the company printers. We're all guilty of printing documents and forgetting to collect them from the communal printer," says Pretorius. Printers are a huge risk area and often the source of company fraud.
Going forward
"It is recommended that companies use multifunctional project team(s) to implement the change management process required to comply with POPI, as this creates the required focus and momentum," says Pretorius.
"Approaching POPI from a legal perspective or compliance perspective only, is not the correct way to tackle this diverse act. It is critical to approach this holistically and with a customised team that can effectively cover all elements including, systems, people and IT."