Protection of Personal Information Bill: Companies should get their houses in order, soon
|Issued by: Magna Carta|
[Johannesburg, 19 December 2011]
Organisations hesitant to fork out the extra cash and effort needed to start complying with the Protection of Personal Information Bill (PPI) should consider the significant international trade implications of non-compliance,” warns Deloitte's Senior Manager of Risk Advisory, Daniella Kafouris.
The PPI bill aims to regulate every step of data processing relating to personal information from collection to destruction. It also seeks to bring South Africa in line with global legislation regulating personal information, thereby facilitating international trade.
“Several countries and regions have strict privacy legislation in place. These include one of South Africa's biggest trading partners, the European Union, and Australia. South Africa must ensure that it stays aligned with the international regulation landscape to avoid losing out on trading opportunities,” explains Kafouris.
“Non-compliance to these international privacy laws will certainly be a barrier to trade.
“Organisations should not risk an unnecessary hindrance to international trade caused by abandoning privacy laws, especially when we consider the potential negative impact South Africa will experience following the current European economic crisis – non-compliance would just be one more obstacle that prevents financial growth,” explains Kafouris.
The Bill was updated on 19 October 2011, and the eight core principles have remained unchanged:
* Process personal information in a legal and reasonable manner.
When the Bill does become an Act, organisations will be given a year in which to comply, says Kafouris.
“Considering the extensive steps an organisation will need to undertake to become compliant, a year will likely be inadequate time. Almost every aspect of business will need adjusting, including financial systems, administration, human resources and archiving.
“This full compliance procedure could typically take up to three years. Organisations must act now if they are to comply. They need to start strategising about how they can implement these changes to meet the regulations without extensive cost to their businesses, and, importantly, to ensure that the changes they institute are going to add value to their companies.
“It is possible to add tremendous value to their business if they know how to strategically apply the legislation that will be laid out in the Act,” says Kafouris.
“Looking at the principles of the Act as a life cycle of personal information, the collection, processing and specific use of data is an opportunity for companies to begin a fresh relationship with their customers and engage with them in new and exciting ways, fostering new relationships.
“The requirement for archiving and destruction of information might seem drastic on the surface, but it also offers businesses opportunities and cost reductions as they travel the road to compliance,” says Kafouris.
“Organisations will be able to streamline their archiving systems as well as conduct long overdue data processing and records management processes. Simultaneously, data cleansing and updating will be possible. From a strategic perspective, organisations will have the opportunity to think purposefully about what they want to gain from their customer insights and use those insights fully, via data analytics,” says Kafouris.
“Ultimately, although PPI is still only a Bill, we believe that it is only a matter of three to six months before it is legislated. The certainty of this means companies need to get their strategic plans in place to ensure they don't lose out on international trade opportunities or fall behind on local competitive business,” Kafouris concludes.