Stock Image
Durban - Ten years in prison or a R10 million fine. Those are the possibilities faced by companies if they are not compliant with The Protection of Personal Information Act which is due to be implemented next year. The information regulator has already been appointed.

On Wednesday, at the Eset IT Security Conference, held at the Southern Sun Elangeni & Maharani Hotels, speaker Drew Van Vuuren, founder and director of iDatasec, said the act will give effect to the right to privacy.

Data leaks of personal information of either staff or customers will carry punitive measures for companies.

“The majority of SA citizens are ignorant when it comes to their rights, particularly their right to privacy. But organisations are going to have to change how they do business.

Companies are defined as an entity and any information regarded as personal information will have to be processed under the auspices of the act.

For a proven data breach, there will be punitive measures which could be up to 10 years in prison or a R10 million fine. Companies need to take reasonable steps to protect their data,” said Van Vuuren.

If, for example, a company outsources its payroll to a third party and that information is hacked, the company bears responsibility for that personal information.

A company will need assurance that the third party is also compliant and the company has to prove it did everything in its power to protect that personal information should a complaint be laid.

There are two levels of information which require protection: basic personal information, including details such as name, address, contact numbers; and sensitive information which may include medical history, religious or political affiliations, sexual orientation and any information relating to children.