If you are a South African business owner, you have no doubt heard about this thing called POPI in the last couple of years. Given the length of time that has elapsed since it came out for the first time, you’ve probably filed it neatly under “Things-They-Say-I-Should-Panic-About-But-Nothing-Has-Happened-So-I’ll-Worry-About-It-Some-Other-Time.” Right? Well, the time to dust off that file and start paying attention may be upon you. So, you know, pay attention…
What is all this POPI stuff anyway?
The Protection of Personal Information Act, which legal eagles call POPIA nowadays, but which sounds so much nicer when you just call it “POPI” (you know, like the Afrikaans word for a doll), is aimed it dragging us South Africans kicking and screaming into the 21st century when it comes to information security, by creating all sorts of legal requirements that apply to any use, storage, sharing or processing of people’s personal information. Think this doesn’t affect you? Think again…. The definition of “personal information” is so wide, it includes basically any piece of information that you may encounter regarding a person. Think about it – when you do business with a client, do you ask for things like their name, address or telephone number? All of that is classified as personal information and you will have to comply with POPI in future.
Ok, but I heard POPI is not in effect yet, so why should I care?
You are technically correct, oh wise one. However…The office of the Information Regulator (the body that will police compliance with POPI, amongst other things) has been established and they are busy becoming fully operational. Once that is done, the President will proclaim the bulk of POPI to be in effect and you will have exactly 12 months to become fully compliant, or face the consequences. Word on the street is that this 12-month period may kick off as early as later this year – more likely early 2019. So, if indications are to be believe, by 2020, you are going to need to know your POPI back to front.
Riiiiight…So I can start worrying in 2020…
Sure, you could. Just like you could start worrying about refueling your car when you are out in the sticks and your empty light is flashing.
Seriously, though, becoming compliant will not actually be that simple for all organisations. The requirements are quite comprehensive and, unfortunately, also a bit vague – especially when it comes to the practical things that you must do in order to comply. So you are going to need a lot of expert input in order to comply properly, and it may take you the full 12 month period to do so.
Also, you may actually have to partially comply with POPI as early as May this year.
Why? Because, Europe.
Europe? What do they have to do with anything?!
If you have clients in Europe, there is this wonderful little thing called the GDPR (doesn’t have quite the same ring to it as POPI, does it?), which is basically their equivalent of POPI. And guess what? Its own grace period for implementation ends on 24 May 2018! So, if you have clients in Europe, they are going to start putting a lot of pressure on you from May this year to comply with their own information protection legislation. This is because this type of legislation (including POPI) also regulates the flow of information outside of your own country’s boundaries. So if your Europe-based client sends you an email that contains someone’s name, then they may only do so in compliance with the GDPR, which in turn requires that you have to comply with similar information protection legislation in South Africa – that would be POPI.
So what’s the good news?
The good news is that POPI overlaps to a certain extent with the GDPR. So, by starting early with your POPI compliance project, you can kill two stones with one bird. No, wait, what? Anyway, POPI and the GDPR are built around the same 8 core principles. So if you comply with the ones in POPI, you can also comply with the GDPR with a little extra effort.
Right, so I’ll call my IT guy tomorrow
Not so fast…IT security is part of POPI yes, but it is not everything. The legislation is much wider than that and it covers things like physical paper files, access restriction, etc., as well. Also, from our discussions with clients, it seems some IT guys are a bit daunted by all that legalese. So while a discussion (or two, or three) with your IT guy is certainly a must, it probably will not ensure that you are fully compliant on its own.
POPI is really about doing a mind-shift when it comes to handling information. By getting the right things in place early, and applying them consistently throughout your organization, you can ensure that you are ahead of the curve. Give us a call and we can help you set off on this journey.