Appointment of an Information Regulator | Risk Advisory | Deloitte Southern Africa has been added to your bookmarks.
National Assembly votes in favour of Advocate Pansy Tlakula being appointed as National Information Regulator
Johannesburg – 7 September 2016 The long-awaited appointment of an Information Regulator, has taken a huge leap forward with National Assembly voting in favour of Advocate Pansy Tlakula being appointed as the National Information Regulator - making SA globally competitive in terms of international data exchange laws.
Yesterday’s vote ends a frustrating delay of more than two years before the Protection of Personal Information Act (POPI) could become operational and effective.
While it is likely many companies will now need to completely overhaul their information management systems, Deloitte says companies should not react by introducing or spending money on too many interventions, as clarification on some of the key practical steps to implement the changes is still needed.
“It will take time to get POPI compliant. Europe is celebrating their 21st year of privacy protection, and POPI was modelled on the EU Privacy Directive. The various country specific data protection authorities have in this period provided significant direction and guidance through regulation, position papers and opinions. South African organisations will expect similar clarity from Advocate Tlakula on a number of POPI aspects,” says Mimi le Roux, Associate Director: Risk Advisory Africa at Deloitte.
In terms of the transitional arrangements contemplated in section 114 of POPI, organisations would have 12 months to become compliant, although the Minister could provide for a longer period, not exceeding 3 years.
According to Deloitte, the first request could be for the maximum transitional period of 3-years to be provided, followed in close succession with a request for clarity around the breach notification protocols to both data subjects and the Regulator.
“Guidance will also likely be sought around the specifics of what constitutes appropriate and reasonable information security measures,” says Le Roux.
However, none of these clarification points should stop the initiation of, or progress with POPI readiness projects by organisations. Deloitte advises companies to look to take cost effective “quick steps” to begin their journey to full compliance.
These include considering the reputational impact of data breaches, doing scenario testing of the robustness of incident response plans, developing a perpetual inventory and using this to identify cross border data flows, implementing training and an awareness plan for privacy, reviewing information security strategies and developing a plan around retention and destruction of data.
The long-awaited appointment was delayed at the end of last year and then again in June this year, yet the implementation of the Act was becoming critical as the delay was affecting trade relations with key partners.
“Until the laws became effective key trading partners like Europe would not trust SA’s data protection laws enough to confidently impart information,” says Le Roux.
Multinational and local organisations positioning their services globally are all anxious around data sharing outside of South African borders for various reasons:
- IT projects and discussions around open data for economic development need to move forward
- Strategic decisions around location of cloud hosting need to be taken
- Global participation must be enabled for the South African economy to grow
With each delay to POPI, South Africa was falling further behind the strides being made by peer countries in getting their data laws up to scratch.
“We now need to be developing regulations and guidance notes to give life to the POPI Act, as Mauritius has done through its Data Protection Authority, and establishing precedent through case studies, as published by the Irish Data Protection Commissioner, or co-developing related legislation like cyber in conjunction with privacy, as done in the Ivory Coast,” says Le Roux.
“Even Brexit will not interrupt privacy significantly, as the United Kingdom will rely on their Data Protection Act 1998 enforced through the Information Commissioner’s Office, rather than the implemented EU Data Protection Directive 95/46/E,” she says.
The African Union (AU) also understands the imperative of privacy and established the AU Convention on Cyberspace Security and Protection of Personal Data.
Companies not taking the changes seriously do so at their peril.
The Regulator will be able to impose up to 10 years in prison, or a R10m fine, so it is important companies take the changes seriously.
“Doing testing of each scenario and improving levels of risk awareness will be crucial for companies going forward,” concludes Le Roux.