Pressure mounts as data protection deadline looms

January 11th, 2018, Published in Articles: EE Publishers, Articles: PositionIT

Once the Protection of Personal Information Act 2013 (PoPI Act) is made effective, companies will have a year grace period to become compliant with the act. In the meantime, agreements between corporate clients and their suppliers are already being updated to require compliance with data processing provisions contained in the act.

Pierre Aurel, Strategic Project Manager, e4

Pierre Aurel, Strategic Project Manager, e4

This year’s first quarter will be rife with companies scrambling to get compliant and focus their efforts on securely managing, storing and processing data.

The purpose of the PoPI Act is to ensure that all institutions conduct themselves in a responsible manner when processing, collecting and sharing private information, whether that of an individual or an entity: The crux is that the act will hold institutions accountable if personal information is compromised or abused, which is why it is critical for companies to address the issues with a sense of urgency.

For companies that store or process data within the EU, additional legislation awaits: The General Data Protection Regulation (GDPR) becomes enforceable on 25 May 2018 and carries far more severe penalties for non-compliance. GDPR is a significant change in privacy law and companies making use of third-party services or cloud hosting in the EU need to assess their data footprint within the EU. Compliance with GDPR does not automatically guarantee PoPI compliance and vice versa.

The appointment of a chief information security officer (CISO) will likely be a priority at the start of 2018 and this role will be tasked with PoPI compliance. The act makes it compulsory for every company to appoint an information officer that must register with the regulator. Until another individual is appointed as the information officer, the CEO will carry the responsibility. Most CEO’s will be eager to delegate this responsibility to reduce the administrative and compliance burden.

The key duties and responsibilities of the information officer include working with the regulator, handling queries, and oversight of the lawful management of personal information. Appointmenting a CISO could also mitigate risks in a world that is rapidly becoming more fraught with cybersecurity issues. The bigger challenge here is that the skill set for such an officer will be in great demand. There are not enough candidates with these unique skills and those that do, will be in greater demand.

Classification of data is another priority. The legislation determines that personally identifiable information is valuable and grants consumers the right of protection as well as the ability to control the use and disposal of this information. It is therefore important to understand what personally identifiable information is on file and why it is being stored.

Lastly, if a security budget has not been addressed already, 2018 is when this will occur. The industry is expected to dedicate more budget to IT, security in particular, with budgets exceeding 2017’s by at least 10%.

Send your comments to

Related Articles

  • South African Government COVID-19 Corona Virus Resource Portal
  • Ministerial determinations propose 13813 MW of new-build by IPPs, none by Eskom
  • Crunch time for South Africa’s national nuclear company, Necsa
  • Dealing with the elephant in the room that is Eskom…
  • Interview with Minerals & Energy Minister Gwede Mantashe