Protection of Personal Information (PoPI) Act - Palladium

POPI – Friend or Foe

Is the Protection of Personal Information (PoPI) Act just another piece of legislation trumped up by politicians or is it just good business practice that has been neglected over the years ?

Gone are the days when companies can be lackadaisical in their approach to the protection of their client’s personal information. Ignoring the PoPI Act will soon result in hefty fines and even jail sentences.

Systems that were originally put in place to store and protect personal information have become a major threat to organisations and more specifically, to the businesses or individuals who entrust their personal or business information upon these organisations. As a result, thousands of SA companies now find themselves in an uncompromising position.

Palladium Business Solutions managing director Stephen Corrigan says these risks can be split into three categories. “Companies that acknowledge the rulings and opt to embed the risk and not take appropriate action to become PoPI Act compliant. Secondly, companies that realise their current systems will soon be obsolete and are now taking steps towards compliancy.”

“And finally, institutions that naively assume that because they simply have a reputable software in place, wrongly adopt the view that their vendor’s product is automatically robust enough to match the requirements of the Act,” he adds.

The arrival of the PoPI Act is imminent, with an anticipated commencement date of July 2016. The legislation fundamentally indicates that personal information is a ‘precious good’ and businesses found to not treat their clients information in such a way, will incur a strict, unforgiving penalty.

The POPI Act permits fines up to the value of R10-million with the possibility of a jail sentence. Pleads of ignorance and naivety of the PoPI Act will not shield businesses from punishment. The severity of penalties will be determined solely by the extent of the infringement and the degree of negligence.

“Because of the stringent penalties, it’s imperative every business is mindful of the conditions of the PoPI Act and exercises due diligence when they’re in the market for an accounting system,” he stresses.

Corrigan says the decision making process in determining which accounting software to purchase has never been so critical. “The assumption that all accounting software providers are secure and POPI Act compliant, is a common misconception and companies need to be aware of this.”

There are multiple aspects of the POPI Act that aren’t accounted for by many available accounting systems. For instance, the Act stipulates that consumers must be notified if, or when, their data is compromised.

“This may be a simple regulation to abide by, but it’s worth contemplating the potential implications on consumer trust and potential irreversible damage to a company’s brand. It’s important to mention that there are reputable accounting and related systems that are plagued by data corruption. So what might appear to be an unlikely scenario, may in fact be an unbeknown inevitability, simply because of the chosen vendor,” he warns.

The POPI Act demands that there are adequate measures in place that allow companies to dictate and monitor employee access to client information. Not every registered employee on an accounting system needs access to the personal information of clients to carry out their duties. Thus to be compliant, a prospective system should possess the relevant security features that enables the company to appropriately tailor employee access to certain areas of the system.

Furthermore, it’s imperative that businesses have safeguards in place that ensure that client information cannot be compromised. Therefore, it ought to be considered how potential accounting vendors store their data, with regards to their applications database, and how easily these systems can be hacked or compromised.

“A simple YouTube search will quickly demonstrate that this safeguard is not a given with some software providers, thus research needs to be taken into the underlying technology that vendors systems utilise,” says Corrigan.

Another requirement one can deduct from the PoPI Act, is that implemented software systems need to be stable and have rollback capabilities. This is to ensure data integrity and perpetual accuracy of client information.

Corrigan says because of the outdated databases some providers still utilise, this is a key requirement that cannot be guaranteed by numerous suppliers. “There are several considerations that need to be taken into account when choosing accounting software.”

“Although it may be easy to view compliance as an inconvenience, it should in fact be seen as a business opportunity. As companies experience ever intensifying competition, PoPI Act compliance ought to be seen as a unique selling proposition. Companies that are quick to take action will be in a position to use PoPI Act compliancy as a source of differentiation from competitors.”

“At the end of the day, exercising due care in the protection of third party personal information shouldn’t be regarded as another piece of laborious legislation, it’s the right thing to do,” concludes Corrigan.