6 March 2014 | Category: News
6 March 2014
SOUTH African businesses are not ready for the looming implementation of the Protection of Personal Information Act (POPI), according to leading auditing firm Grant Thornton.
The POPI Act, which was gazetted in December last year, and which is currently awaiting an effective date, requires widespread reforms that both the private and public sector must introduce to ensure that the personal information and data they collect are protected. The new Act also provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
Michiel Jonker, Director: IT Advisory at Grant Thornton, says that, based on feedback which they had received from the business community, it is clear that most organisations are still not ready to implement the ground-breaking legislation.
“There are many experts such as IT security consultants we deal with every day who say that South Africa is not ready for POPI and that it’s not going to work. They say even some of the big corporate players are at different levels of compliance or not ready to implement it at all,” said Jonker.
Jonker said one of the reasons for this is that South Africa does not have the privacy culture of the more developed countries.
“We see all the time how passwords and the like go unprotected. Security cameras record personal information without securing permission or issuing a warning to those affected. The African continent as a whole is not geared for this level of privacy protection – we’re in survival mode and some believe that we are therefore not in a space to implement this complex legislation yet,” says Jonker.
While POPI has many benefits such as compliance with international standards that could lead to greater investment opportunities, going both sides, the costs of implementing POPI will place significant cost pressures on big business, says Jonker, due to the extra layer of administration that compliance requires.
These costs include the employment of additional specialised personnel, including expensive and highly-skilled privacy officers, the contracting of IT and business auditing service providers; and the need for specialist legal consultants for the review of all existing agreements which the company has with third parties.
In addition to the rising cost of doing business, companies are also faced with the potential of multi-million rand monetary fines, civil claims and reputational damage – if found guilty of POPI transgressions.
Lucien Pierce, legal partner from Phukubje Pierce Masithela Attorneys who collaborates with Grant Thornton on POPI matters and other items, says that the introduction of POPI could lead to significant fines for companies who are found to have had data breaches.
“Take Zurich Insurance as an example. The local subsidiary of the company experienced a data leak in 2008 in which they lost the data of more than 40000 clients when the South African branch of the company lost an unencrypted back-up tape during a routine transfer to a data storage centre. While the implication for the South African subsidiary was minimal, the UK’s Financial Services Authority imposed a 2 million British pounds fine on the UK office of the company due to the POPI-like legislation that was already in place in Europe.
“More recently one could look at Google as another example. The company has been criticised and fined for what European Union member states consider consistent breaches of data protection legislation. While South Africa does not yet have comparable historic data, these case studies are measures and direct comparisons that you could draw between the EU and here,” said Pierce.
Most at risk in South Africa are big corporate organisations dealing with sensitive information, says Jonker, because they will have to prove to the regulatory body that they took appropriate steps to offset any potential data breaches.
“A mom-and-pop shop with a few customers may need to implement basic security, but a huge medical aid entity with thousands of members, dealing with very sensitive information, will need a much bigger team of specialists and advisors,” adds Pierce. “Every business has to prove that they did what the ‘reasonable person’ would have done, considering financial constraints; the sensitivity of the data they collect, process and store; the industry standards and expectations and best practices, generally accepted by the international community.”
Jonker says many of Grant Thornton’s JSE-listed corporate clients have realised the magnitude of the administrative burden that the impending legislation presents and many have started to request assistance or have their own plans in place to ensure compliance once government sets its deadline.
“We’ve had quite a response from our corporate clients who want to be ready when the legislation becomes effective. It’s important to look at this in a global perspective and not in isolation. Any compliance must take into account the prevention of data breaches; the detection of breaches if the preventative measures fail and the ability to repair breaches and affect damage control.”
The cost pressures notwithstanding, Jonker points out the benefits in the long run could be very positive. The international business community, for example in Europe, prefers that South Africa should have privacy legislation in place before doing business. They are forced by their legislation to ensure that their business partners do enforce similar privacy controls.
There are of course alternatives such as binding corporate rules, said Pierce. These are arrangements where the EU authorises intra-group data transfers by multinationals. The approval processes can be quite tedious, so having one all-encompassing piece of information protection legislation that is approved by the EU, makes the transfer of personal information to South Africa much simpler and quicker.
“This brings me to the argument that local dynamic organisations with significant future growth aspirations should see POPI as a business enabler or opportunity. It would eradicate even more barriers erected by international governments for SA executives to successfully embark on doing business internationally.”
The opportunities that POPI creates, however, depend on how well South Africa’s public and private sectors can embrace a culture of privacy.
“Once the culture is right all the other privacy measures will work. We need to start respecting the privacy of personal information. It starts with the tone of top management and filters to the mail room downstairs,” concluded Jonker.
Issued by Strat Comms on behalf of Grant Thornton South Africa
Lianne Osterberger 083 272 7313 / firstname.lastname@example.org
For more information contact
Director: IT Advisory
Grant Thornton Johannesburg
T +27(0)11 322 4549 | M +27 (0)82 570 9478
Principal, Head: national marketing and business development
Grant Thornton South Africa
T +27 (0)11 322-4586 | M +27 (0)82 410-1149
Grant Thornton Johannesburg
T +27 (0)11 322 4866 | M +27(0)79 447 5712
Follow us on Twitter: www.twitter.com/grantthorntonza
Notes to editors
About Grant Thornton South Africa
Grant Thornton South Africa is a member firm of Grant Thornton International Ltd (GTIL). Grant Thornton South Africa was founded in 1920 (previously Kessel Feinstein). We are leaders in our chosen market, providing assurance, tax and specialist business advice to dynamic organisations – listed companies, large privately held businesses and private equity backed organisations. In addition, public sector professionals from Grant Thornton are dedicated to providing specialised advisory services to government at all levels.
We employ 933 people in South Africa with 100 partners and directors. Grant Thornton has a national presence with offices in Bloemfontein, Cape Town, Durban, , Johannesburg, Nelspruit, Polokwane, Port Elizabeth, Pretoria, Rustenburg and Southern Cape. South Africa is a major force in Africa, alongside 20 member firms on the continent. We operate in Algeria, Botswana, Côte d’Ivoire, Egypt, Ethiopia, Gabon, Guinea, Kenya, Libya, Mauritius, Morocco, Mozambique, Namibia, Nigeria, Senegal, Togo, Tunisia, Uganda, Zambia and Zimbabwe and are ideally positioned to facilitate clients’ expansion plans in these countries.
About Grant Thornton International Ltd
Grant Thornton is one of the world’s leading organisations of independent assurance, tax and advisory firms. These firms help dynamic organisations unlock their potential for growth by providing meaningful, actionable advice. Proactive teams, led by approachable partners in these firms, use insights, experience and instinct to solve complex issues for privately owned, publicly listed and public sector clients and help them find solutions.
Over 38,500 Grant Thornton people, across more than 120 countries, are focused on making a difference to clients, colleagues and the communities in which we live and work.
Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered independently by member firms, which are not responsible for the services or activities of one another. Grant Thornton International does not provide services to clients.
Notes to editors
You may quote freely from this publication, provided you acknowledge the source. This publication is an outline for information purposes and should not be relied upon for detailed planning. Readers are advised to consult professional advisors for guidance relating to new or existing legislation which might affect their business and personal decisions.
About Grant Thornton South Africa
Grant Thornton South Africa is a member firm of Grant Thornton International Ltd (GTIL). Grant Thornton South Africa was founded in 1920. We are leaders in our chosen market, providing assurance, tax and specialist business advice to dynamic organisations – listed companies, large privately held businesses and private equity backed organisations.
We employ 1028 people in South Africa with 90 partners and directors. Grant Thornton has a national presence with offices in Bloemfontein, Cape Town, Durban, George, Johannesburg, Nelspruit, Port Elizabeth, Pretoria and Rustenburg. In Africa we operate across 23 member firms in Algeria, Botswana, Congo, Côte d’Ivoire, Egypt, Ethiopia, Gabon, Guinea, Kenya, Libya, Mauritius, Morocco, Mozambique, Namibia, Nigeria, Senegal, Tanzania, Togo, Tunisia, Uganda, Zambia and Zimbabwe and are ideally positioned to facilitate clients’ expansion plans in these countries.
About Grant Thornton International Ltd
Grant Thornton is one of the world’s leading organisations of independent assurance, tax and advisory firms. These firms help dynamic organisations unlock their potential for growth by providing meaningful, forward looking advice. Proactive teams, led by approachable partners in these firms, use insights, experience and instinct to understand complex issues for privately owned, publicly listed and public sector clients and help them to find solutions.
More than 40,000 Grant Thornton people, across over 130 countries, are focused on making a difference to clients, colleagues and the communities in which we live and work.
“Grant Thornton” refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton International Ltd (GTIL) and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions.