Very few SA companies are fully compliant with the Protection of Personal Information (PPI) Bill, which is expected to be enacted as legislation later this year. Those that that don’t comply fully could face sizeable fines and individuals could even spend time in prison.
The legislation, which will enforce South Africans’ constitutional right to the privacy of their personal information, could also make it difficult for companies to do business outside SA’s borders.
Firms will most likely be given a year to comply after the PPI Act comes into effect. Dean Chivers, a director in Deloitte’s legal department, says it’s “one of these most difficult pieces of legislation for businesses to comply with” and there is an “astonishingly low level of adoption” by corporate SA.
“The law is imminent, compliance is challenging, and entities should’ve begun the process but haven’t,” he says.
Aside from complying with the act, Chivers says it is simply a matter of good corporate governance to deal with information about people in the right way and that it is in the best interests of all companies to employ good practices irrespective of their obligations to comply with the legislation.
The PPI Bill deals with data privacy and how companies manage information about people.
One of the difficulties in complying the legislation comes in the form of cloud computing. Chivers says the bill states that cross-border data flows can only happen if the company receiving or storing data outside the country has its own data privacy legislation with which it complies. Alternatively, it must comply with the SA law.
“Almost no companies in SA are compliant yet,” Chivers adds. “Outsourcing and cloud computing are good examples. Once [the PPI Bill] is passed into law, most existing arrangements will be noncompliant.”
Multinational companies are likely to be particularly hard hit by the legislation. “The world is getting smaller and compliance is important for international commerce and complying with other countries’ data privacy laws.”
Though the penalties for noncompliance have not yet been set, Chivers says there is talk of a maximum prison sentence of 10 years and the European Union is looking at fines of up to 2% of global turnover.
Terence Kelly, associate director in Deloitte’s risk advisory division, says companies should also be aware of the reputational damage noncompliance could have. He says companies will want to deal with other compliant companies rather than take the risk of not doing so.
“In the digital world, the economy is moving towards allowing instant access to information,” Kelly says. “That’s going to force people to put information into a accessible position for you to be able to do what you want to do with it, whenever and wherever you want it. That makes compliance difficult.”
He says many companies outsource human resources and payroll information, and even information from security checkpoints. “All of this data is applicable, and all of it needs to be considered.”
Some people don’t realise they’re passing on personal information all the time, says Kelly. Any company that handles data about individuals will have to comply in one way or another.
According to Kelly, there is “deep digital denial” in SA about the PPI legislation, with companies putting off compliance for as long as possible. He says the potential impact is enormous and companies selling information will most likely disappear unless they change the way in which they do business.
“If you’re a database management company with the right compliance in place, you will have a competitive advantage over companies that aren’t because the likes of the banks will only want to deal with you,” says Kelly.
Under the PPI Bill, direct marketing is prohibited without consent. Chivers says it’s going to become significantly more difficult for companies to sell their databases.
“The Consumer Protection Act allows consumers to opt out — you can be marketed to, but there must be an unsubscribe option — but the PPI Bill requires that consumers opt in. That’s going to make it very hard to create and sell quality lists of individuals for marketing purposes.”
Chivers expects companies to respond in one of two ways: some, he says, will wait until the last moment to comply, while others will comply as soon as possible. He says those that comply quickly will have a sizeable competitive advantage, particularly as becoming fully compliant in a year is “probably optimistic”, especially in the case of large companies. — (c) 2012 NewsCentral Media