Companies should not be misled into thinking that proposed new privacy laws do not apply to them. Companies need to protect more information than they expect or they may face unintended consequences and obstacles, warns Professional Services Firm PwC.
Russell Opland, an associate director within PwC’s Advisory Division, who leads the firm’s national privacy practice, says that when one reads the title of the ‘Protection of Personal Information Bill’ (PoPI), one assumes it protects information only about people. However, one of the aspects of PoPI is that it may catch some organisations unaware in that it also applies to information about ‘juristic’ persons.
“PoPI is currently the most comprehensive piece of privacy legislation in the world and the burden of complying with it is going to be a difficult one, in part because of the extremely broad definition of ‘personal information’. For organisations with complex business processes that gather multiple types of personal information, the road to compliance is going to be even more challenging,” says Opland.
Companies as juristic persons
PoPI gives a ‘juristic person’ the right to the protection of its personal information, in much the same way as a ‘natural person’. A juristic person is defined as a company, entity, community or other legally-recognised organisation.
What this means for organisations is that, in addition to protecting the information they hold about customers (who are people) and employees, they are also going to have to safeguard the information they hold about customers who are companies, as well as business partners, vendors, suppliers, and so forth. This approach is similar to countries such asAustria,Switzerland,ItalyandDenmarkthat have privacy laws in place.
Organisations face hefty fines of up to R10 million, possible jail sentences, potential civil law suits, and the prospect of being ordered to stop processing personal information for breaching the provisions of PoPI, says Opland. “The enactment of the Bill will bring about a significant level of protection to individuals and companies inSouth Africawith regard to how their personal information is handled. Individuals will now have the ability to hold organisations to account for the ways their personal information is handled—or mishandled, as the case may be.”
A right to privacy
The main purposes of the Bill are to give effect to the constitutional right to privacy and to regulate the manner in which personal information is processed. The Bill also bringsSouth Africain line with international norms on the protection of data privacy, thereby allowing the flow of personal information toSouth Africafrom other nations with data protection regimes.
This is particularly important for services such as data centres or call centres outsourcing and IT software solution providers who host such information here for foreign organisations. However, local organisations with foreign operations must take heed of the data protection regulations in those foreign jurisdictions to ensure they comply when transferring customer or employee information with SA.
The Bill applies to all companies that collect, store, or process personal information. These include organisations such as banks, insurance companies, medical and health organisations including medical practitioners, retail stores, and the Government. It also includes all employee information, so every organisation is affected.
There are relatively few circumstances under which personal information does not need to be protected. For example, personal information that is in the public domain does not need to be protected. However, if it is taken from the public domain and subjected to further processing, it may then need to be protected, particularly if combined with other personal information that is not public.
Consider other legislation
Further adding to the complexity, Opland says that organisations will need to consider the requirements of other legislation relating to privacy such as the Consumer Protection Act, the Promotion of Access to Information Act, and the National Credit Act (to name just a few) when developing their privacy programmes.
Although PoPI provides a minimum set of conditions with which organisations must comply in order to process personal information, it also allows for stricter protections in other legislation. Therefore, organisations will need to undertake an assessment to ascertain which provisions of other legislation are stricter within their particular context, and take those into account.
This is likely to have a significant effect particularly in the area of the retention of information. Often, different legislation has different requirements for records retention.
South African organisations are expected to be fully compliant with the new Bill within one year of its enactment. According to a white paper issued by PwC’s Privacy Team in November 2011, based on research conducted with its larger clients, 74% of them believe it will take more than one year to become compliant, and an additional 13% are uncertain as to how long it will take.
Opland points out that when data protection laws came into effect in other international jurisdictions, such as theUS, most companies were given a two-year period within which to become compliant, with smaller businesses given three years. “The experience in other countries shows that, given the extent of the changes required, not only to systems and processes, but particularly to the conduct of employees, it is unlikely that companies inSouth Africawill become compliant in just one year. We encourage all organisations to begin reviewing the effect PoPI will have on their business, in order to be ready when the law goes into effect, most likely in the second half of 2013.”