You might also like:
The Protection of Personal Information (POPI) Act is set to revolutionise South African businesses at every level, from the person who answers the phone to the board.
This warning comes from Leishen Pillay, Hogan Lovells Partner, who with Gareth Cremen, also Partner at Hogan Lovells, addressed attendees of the Global Business Travel Association workshop at the FNB Conference Centre on August 24.
This week, our sister publication, TAM has reported on various aspects of their address on the Act, including how non-compliance with data protection could damage business reputation; the consequences of non-compliance with the Act and why ‘consent is key’.
When the Act is implemented next year, companies would need a privacy or information officer to ensure that data protection standards were complied with, according to Pillay. He said while the designation was not important, that person should have a well-versed understanding and good working knowledge of the legal framework: understanding the POPI Act. That person should also understand compliance and risk.
Cremen gave the example of hiring an employee, believed to be trustworthy, who then took the database of the company containing personal information, before leaving the company. “In an instance like that, you will be found guilty,” said Cremen.
Pillay went on to discuss processes and procedures that would need to be put in place to safeguard information, which he said were not finite. “As a general proposition, you need to be looking at two places at every level of your business. One is an organisational measure, the other is a technical measure, and that is required and those are straight quotations out of POPI.
“An organisational measure is a policy, procedure, standard operating processes, checklists and privacy notes. These are going to be quite onerous.”
He said, from doing the implementation for some big SOEs and private companies, they had come up with about 13 policies, while at a lower level, they had found about 10 to 15 checklist, standard operating procedures and other documents that supported those policies.
“But policies alone are not going to help you. That’s a tick-box exercise. We know we cannot comply with POPI from a mere tick-box exercise,” warned Pillay.
Technical compliance was ‘equally as weighty’. He explained that businesses should have processes and procedures for employees to sign that indicated the process to relinquish any information – including biometrics, key cards and passwords – when they leave the company.
“The technical measures will ensure the following: Number one, they can’t access personal information without it being logged,” said Pillay. “Two: They are not allowed to copy and/or access information that they are not otherwise authorised to do.”
As an example, he explained that anyone, whether they were authorised or not, being able to use a USB to take information from a computer, as employees would do, was a breach of POPI.
“POPI tells us that you must put active safeguards in place to ensure that unauthorised personnel cannot access that information,” said Pillay, adding that it was important to encrypt the hard-drive of a laptop; restricted numbers of USBs can be used and log the details of the name and number of that person, the time and information copied from a database so that steps can be taken against that person.
“In the first instance, that person should not be able to copy information they would not otherwise be authorised to do,” warned Pillay.
Sоurсе: tourismupdate.co.za