Companies that handle people’s personal information, whether of clients or suppliers or simply their own staff, will have to meet stringent requirements when the Protection of Personal Information (PoPI) Bill is enacted and could face fines of up to R10m if they fail to do so.
Webber Wentzel partner Dario Milo says PoPI has been on the cards for a decade and is likely to become law before the end of the year. “Once enacted, companies will have one year to get their house in order,” he says, adding that the legislation is set to measure up well internationally because of frequent revisions that have taken progress in other regions into account.
One of the potential minefields of PoPI relates to transferring data across borders. Under the act, companies cannot transfer data to countries that don’t have adequate data protection laws, Milo says. This could prove particularly difficult for companies working in Africa north of South Africa because the continent has underdeveloped data protection practices and legislation relative to the rest of the world.
Milo says the act doesn’t just apply to “natural persons” but also to “juristic persons”, meaning that, for example, confidential correspondence between companies would fall under its purview.
The act will apply to any information about clients or suppliers, including their contact details and correspondence with them. It will also apply to all human resources and payroll data, curricula vitae, applications for employment, CCTV records, performance reviews and internal e-mail records.
An “information regulator” will be established to police breaches of PoPI and deal with and adjudicate complaints. Milo says this regulator will have sweeping powers, including the right to hand out enforcement notices, search property and seize equipment, and demand access to company systems.
In instances of transgression, those responsible face potential imprisonment of up to 10 years and/or a fine of up to R10m.
Milo says companies have to consider the reputational damage a breach would have, particularly as international information regulators have displayed an inclination to name and shame transgressors.
Webber Wentzel associate Greg Palmer says the security stipulations of PoPI include the need for companies to protect data and must identify all reasonably foreseeable internal and external risks. Companies are also expected to establish and maintain “appropriate safeguards” and regularly verify and update them.
Under PoPI, companies that experience a security breach and have information compromised will have to disclose this and inform all affected parties as soon as is reasonably possible. Companies may only delay notification if a law enforcement body determines that notification would impede a criminal investigation. — (c) 2013 NewsCentral Media