How the POPI Act can realise one version of the truth
By Andrew Hoseck
With many organisations still scrambling to meet the requirements of the Protection of Personal Information Act, 2013 (PoPI), it would be remiss not to ponder the far-reaching impact of the act.
Organisations have until 1 July 2021 to meet the Act’s various obligations, however, the process remains hugely onerous and will require considerable resources to successfully implement.
That said, the PoPI Act also creates the opportunity to simplify and optimise business operations and processes, embracing more appropriate and cost-effective technology solutions that provide short and long-term benefits. It can establish an infrastructure that is based on better data management and security.
The tricky part
A fundamental part of the Act is that during the process of collecting personal information, organisations must provide the requisite reasons for obtaining the data and importantly ensure that its shared with only authorised individuals.
The use of personal data within an organisation needs to be meticulously managed within stringent parameters. In essence, whilst employees work for the same organisation, they will not necessarily have access to the same data.
For example, the finance department will be allowed access to information such as banking detail and IDs while logistics will only have access to details such as a physical address for delivery purposes. Here, it becomes quite complex as how do you ensure that only certain information of an individual is provided to specific authorised departments and personnel.
Also, and this is where it gets even more complicated, what about physical filing systems that store thousands of documents with a massive paper trail? Surely you can’t go through each file, allowing and redacting information per department – it will take a huge amount of time and manpower.
There is a solid case for simplifying and modernising business processes. With the right technology solution, you can develop a complex matrix of what, when and why and for what and put in place user level access parameters.
The PoPI Act requires organisations to uphold a high standard of information. It is your responsibility, as the organisation, to ensure that personal data is accurate and recent. Technology will play a major role in automating this process, ensuring that data is regularly updated.
There will undoubtedly be education involved, as company customers and partners will have to be willing to update their information when a specific system, whether it’s an e-mail or website log-in, prompts them to do so. In time, as the specifications of the PoPI Act become more well known, users could be more forthcoming.
One version of the truth
Recent and accurate data lends itself to improved customer relations. Companies will now have an accurate database that will, for example, ensure marketing initiatives reach the right audience with maximum returns.
The PoPI Act will see the establishment of a central data repository – integrated systems that obtain information from a primary data resource – one version of the truth, therefore.
People can also request that their personal information is removed. Also, organisations can be asked to disclose how the information is used and who has access to it. Having the information on hand through a dedicated and current central repository, will ensure that organisations can readily remove information or gain access to where and when the data is being used. This will go a long way in fostering an open relationship with customers.
Security forms a core part of the PoPI Act requirements. Organisations need to take a long hard look at their security – both physical and digital – and ascertain where its weak points are and how they can be bolstered.
Loss of physical equipment can be catastrophic which is why the same level of protection as personal data residing in the cloud must be applied, for example.
Demonstrating how comprehensive the PoPI Act is, how do you manage your daily run-of-the-mill acquisition of information. For example, how are visitor’s books managed, what happens to the recordings from the cameras and so forth. This applies to both visitors in the building and employees that are recorded on a daily basis.
There is no doubt that the PoPI act has far-reaching implications, however, it also provides companies with solid regulations on how to update, streamline and secure personal information that benefit customers and the organisational operations.
*Andrew Hoseck is the COO at In2IT Technologies South Africa.