Complying with the Protection of Personal Information Act (POPI) will mean taking a long hard look at your organisation’s applications and databases. The same kind of methodical approach that got us successfully through the Year 2000 crisis is needed.
SA technology innovator and leader in the capture and analysis of information, Argility, highlights the challenges around POPI compliance.
Argility CEO, Marko Salic, notes that 18 years ago, the world was in the throes of the Year 2000 (or Y2K) crisis. The IT Industry solved the problem by sheer bloody-minded persistence, creating and executing massive projects to locate and fix lines of code that used the two-digit date format, and might be compromised by the arrival of a new year using the “00” that could mean 1900 as well as 2000.
“A similar, though smaller challenge, faces South African companies as POPI comes into effect. Fundamentally, the Act requires any South African institution or juristic person to collect, process, store and share a third party’s information in line with certain requirements. The intent is to protect valuable personal information, and to ensure that individuals never lose control of information about their identity and thus, by implication, that identity itself,” says Salic.
In order to comply with POPI, organisations will need to identify where this kind of personal information is stored on their systems, and then put measures in place to protect it from hackers, and from being used improperly by the organisation itself. “As in the Y2K case, it is highly likely that this information will be found in disparate places across the organisation’s databases and applications. Most organisations have an untidy patchwork of legacy systems that have grown organically rather than been designed from scratch. Just tracking it down will be a significant task.
“Only once the location of the personal information has been ascertained can the appropriate policies be implemented.”
Salic confirms that at the practical level, organisations must first understand that POPI compliance is essentially a business issue. “The fines from non-compliance can range from a hefty fine or a goal sentence, or payment to those whose information has been compromised. There is also the question of reputational damage. The business therefore has to take ownership of POPI compliance, and ensure that a team is in place. It should not be seen as an IT issue, although IT will of course assume responsibility for the information that is stored and processed digitally – but personal information may also be stored and used outside of the IT system.”
The good news is that the date by which POPI will become effective has not yet been announced. “There will be a year’s grace period for organisations to comply, so it would appear that the earliest date would be in December 2018. But this should not be seen as an excuse for putting POPI compliance on the back burner. This is a very large elephant that will have to be eaten in small mouthfuls – best to begin now to avoid indigestion later,” Salic concludes.