South African organisations and citizens have until 7 November 2017 to provide comment.
The South African Information Regulator (“Regulator”) has indicated that the effective date for full promulgation of POPIA will likely be early 2018, following which all organisations will have one year to become compliant. The publication of the Draft Regulations indicates that the timelines set by the Regulator are on track
“Based on our experience in implementing privacy and data protection projects across a range of organisations in Africa, and taking into consideration global privacy best practice, organisations should endeavour to become ‘Regulator Ready’ within, at the very least, the next 18 months” says Daniella Kafouris, Associate Director at Deloitte. “Our experience has shown that potential risks and resources must be factored into any rollout plans to mitigate the risks in respect of the handling of personal information.”
In June 2017, the Regulator published its 2017-2020 Strategic Plan (“Plan”) which sets out the Regulator’s vision, mission, values and mandates. The Plan further sets out the Regulator’s strategic objectives to be achieved over the next four years. The initiatives planned for 2017 and 2018 which support the Regulator’s strategic initiatives are as follows:
- Development of a public awareness strategy;
- Evaluation of existing and proposed legislation and policies which may affect the protection of personal information and access to personal information;
- Regulations to be developed in accordance with section 112(2) of POPI;
- Two codes of conduct needs assessments to be conducted with identified industry stakeholders;
- Strategy developed in respect of, and commencement of, the engagement with stakeholders concerned with the protection of personal information and access to information; and
- International and regional benchmarking and consultations conducted to align national legislation with international best practice.
In respect of the implementation and functioning of the Regulator, the initiatives planned by the Regulator during the course of 2017 and 2018 are:
- To develop the Regulator’s organisational structure with priority positions identified and funded;
- To develop corporate governance policies;
- To develop the Regulator’s branding and communications strategy; and
- To organise office accommodation for the Regulator’s office and staff.
Essentially POPI will eventually become “business as usual” within an organisation’s culture, processes, procedures and information governance framework. Organisations need to take advantage of the 12 month grace period, because the delay in ensuring that processes are implemented to become POPI compliant, especially where shortcomings have not been quantified, can increase costs exponentially.
“Being ‘Regulator Ready’ is a driver for overall business growth and sustainability regardless of the industry or sector within which an organisation operates” adds Daniella. “The failure by any organisation to be ‘Regulator Ready’ timeously constitutes a slippery slope towards non-compliance with POPI potentially attracting fines from the Regulator of up to R10 million per breach, or the imposition of imprisonment for a period not exceeding 10 years, depending on the level of non-compliance.”
Deloitte notes that there benefits of being “Regulator Ready” such as:
- Augmenting an organisation’s customer and stakeholder relationships as well as its good corporate governance;
- Ensuring trust in the organisation’s brand while simultaneously guarding against reputational risk;
- Enhanced data security, including protection against cyber-attacks such as ransomware and denial of service;
- Enabling cross-border trade and business relationship as personal information will be able to be transferred cross-border without onerous restrictions by jurisdictions such as the European Union; and
- Enhancing the organisation’s overall quality of information as well as business management.
Some of the steps that organisations can start taking towards the transition of being Regulator Ready are:
- Privacy training and awareness - Organisations need to consider whether management and personnel understand the framework and environment within which the organisation operates, as far as personal information is concerned. It is imperative that need for POPI is understood internally as this will assist in the smooth transition. For more information on our Deloitte’s privacy training solutions, please click here <link>
- Deployment of a Governance and Data Privacy Target Operating Model for sustainable data privacy compliance. A data privacy target operating model (“Operating Model”) provides an overview of the proposed impact of data privacy on the internal structure, roles, responsibilities and management of an organisation and its business areas. There is no standard Operating Model for data privacy compliance purposes and organisations need to look at factors such as their footprint and structure to determine the model that would be best suited.
- Incident Management Plan is to be developed and in place. “A privacy incident management plan allows the organisation to be more proactive and less reactive in effectively dealing with any incidents involving the loss, damage or unauthorised access to the organisation’s data, including personal information” says Daniella , “Important considerations such as whether the organisation is at risk of losing any of its customers’, employees’ or other stakeholders’ financial, medical and other personal information are to be top of mind and adequate preparation for such an incident with pre-defined steps and checkpoints are to be in place.”
- Personal Information Inventory (“PI inventory”) is a consolidated document which indicates what personal information is collected, used and stored within an organisation. Having a PI Inventory in place will assist an organisation in addressing the previously mentioned pain points.
In a technologically advanced world where commerce is dependent on the free flow of information, including personal information, it is necessary that organisations become “Regulator Ready” sooner rather than later. A lack of data protection compliance would not only hinder an organisation’s privacy compliance efforts with legislation such as POPI, but would also hinder the organisation’s commercial and operational footprint, as numerous jurisdictions may prohibit the transfer of personal information cross-border to other jurisdictions with inadequate data protection legislation.