Illustration: Colin Daniel

The EU’s new General Data Protection Regulation (GDPR) recently came into effect. The long-awaited law changes the way in which companies are required to collect, store and process personal information – affording EU residents better protection and greater control. While the GDPR has helped to bolster the consumer rights and protections for the EU, many companies were ill-prepared when it came into effect.

South Africans can look forward to similar protection as a result of the Protection of Personal Information Act (PoPI). The Act is anticipated to follow GDPR, with implementation expected later this year, after which institutions will have a one-year grace period to comply with the new regulations.

“This will have a significant impact on businesses that collect and store personal information,” says Sonja Visser, chief executive of life assurer African Unity Life. “Therefore, companies will need to make sure that they are ready and compliant for when this kicks in.”

Visser explains that the Act now requires that organisations obtain the consent of data subjects ahead of collecting information, as well as to stipulate exactly what kind of information they need and why they need it.

“Information must also be destroyed if the subject requests it. Safeguards will need to be put in place to protect this information and individuals must be notified in the event of any unauthorised access.”

The Act will have many positive implications for consumers, whose sensitive information will now be safer than ever before. However, Visser believes that implementation may present some challenges for organisations, which will need to have the right technology and processes in place to ensure that they comply.

She says that insurers will naturally have to comply with these regulations, and will be faced with the challenges of balancing an individual’s right to privacy with business practicalities and the costs of compliance.

Businesses or individuals that fail to adhere to the conditions could face serious consequences including a fine of up to R10 million or a maximum of 10 years in jail.