Adrian Schofield, JCSE

A recent statement by Panda Security claims that very few SMEs have taken steps to comply with the Protection of Personal Information (POPI) Act which was passed by the National Assembly. Signed into South African law by President Jacob Zuma in November 2013, POPI holds organisations responsible for the security of their customers’ information.

According to Adrian Schofield" rel=tag>Adrian Schofield, manager of the Applied Research Unit at the Joburg Centre for Software Engineering (JCSE), as with many issues related to compliance with legislation and regulation, the primary challenge for SMEs is capacity – capacity to be aware of their obligations, capacity to research and understand their obligations and capacity to carry out their obligations.

“POPI is closely related to PAIA [Promotion of Access to Information Act] and I would suggest that many (if not most) small businesses are not yet compliant with the requirements of PAIA – a relatively straightforward piece of legislation which has been in force for a few years. By contrast, POPI is complex, not easy to read and potentially onerous to implement in a small enterprise,” he says.

Schofield believes many SMEs will not realise the broad scope of “personal information”, nor how or where it is collected and stored within their business systems. “The Act covers all records containing personal information, in any form, regardless of how they came into existence.”

On another topical issue, says Schofield, SMEs are being actively recruited into using cloud services. “A high proportion of these services use data centres sited outside of SA. The limitations on when this is acceptable must be understood. Vendors often claim to be compliant with laws of the countries where they offer services but there should be a written statement available to all clients, detailing exactly how and to what extent.”

FINANCIAL REASONS

Drew van Vuuren, CEO of 4Di Privaca, believes SMEs are the segment of the market that are most exposed to risk of non-compliance to POPI, due to them being the cornerstone of the South African economy. He also believes their lack of compliance is largely for financial reasons. “Furthermore, organisations in this segment don’t manage large budgets for IT (and by association security), so they would be relatively weak where it pertains to having control in place that the POPI Act speaks to,” he explains.

He points out many organisations in the SME market outsource a large portion of their IT department to third-party service providers as it is economically more efficient to do so. “So by the same token, if they do outsource IT management function they are exposing themselves to high risk in that the service providers are not necessarily operating in compliance with POPI Act.”

According to Catherine Berry, senior underwriter: financial & professional lines at Camargue, “As with any new piece of legislation, compliance with the requirements of the Act involves a financial outlay, as well as the redirection of the efforts of human capital to focus thereon. POPI is no exception, and the financial ramifications of compliance are yet another financial burden facing SMEs (who already have to comply with other legislation such as the Companies Act, the Consumer Protection Act, and in the financial services sector, FAIS). While this financial outlay is not unique to SMEs, the impact there is obviously felt more acutely than larger organisations.”

LACK OF UNDERSTANDING

According to Dawie Malan, head of software sales at Ricoh SA, SMEs might not adequately understand how the POPI Act affects their business. “Most people have a vague notion that POPI exists and that it concerns the collection of personal information, but the further ramifi cations escape them.”

He agrees since they often don’t have the internal resources to fi gure that out, they’ll have to pay consultants to do it for them. “Some may see that as an onerous expense but the cost of not doing it could result in the POPI fines or prison terms being handed down,” he says.

Although POPI has been spoken about and mentioned in the media for some time now, people only seem to have a vague notion of what it entails, and has not been taken very seriously as a result, Malan continues.

Van Vuuren agrees not many small businesses understand how the Act works and how it affects them. “Most organisations are taking a ‘wait and see’ attitude. Enterprise segment corporations have begun investing heavily in ensuring compliance to the Act because generally they are first tier that any vigilant regulator would target for investigation.”

Berry says it appears as though a significant portion of SMEs are unaware of the promulgation of POPI, and more so, the impact which the legislation has upon their business. “While the repercussions of violation appear to be one of the areas of the Act, which is known and accepted to be onerous, the same level of understanding and concern does not necessarily appear to apply to the actual requirements and implications of the Act.”

According to Schofield, the Act refers to fi nes of up to R10 million and prison terms for offending persons but SME owners will not regard themselves in the ‘big business’ category, where risk of exposure is high and the loss of thousands of personal records can occur (as has happened in the credit card industry, for example).

“SMEs will take the view that their processes are generally ‘safe’ and that the risk of violation is low. Even if they are in violation, through omission or negligence, it is unlikely to be a wholesale breach and the Act offers the opportunity for a negotiated settlement with the aggrieved party, thus avoiding a criminal prosecution,” he explains.

NON-COMPLIANCE

Malan believes the moment SMEs take the Act seriously will be when they see the repercussions of not achieving POPI compliance enacted against another SME. “When the threat of potentially going out of business due to the penalties ranged for non-compliance become public then they’ll take it seriously,” he says.

Malan points out the penalties range from a prison sentence and a fine or one or the other. “The prison term can be as long as 10 years but more commonly a fine will be issued and/or 12 months imprisonment.”

On the other hand, he says, the carrot approach is that POPI aims to protect personal information and make the act of collecting customer information far more transparent so it will naturally instil confidence in customers.

“Any business therefore that deals with large volumes of customers will stand to benefit from compliance and those that do will be able to market themselves accordingly,” he explains.

Catherine Berry, Camargue

According to van Vuuren, SMEs will do well to begin to understand the implications, because any failure on their part to address the requirements of POPI and any violation through the inadvertent loss or theft of data many sound the death knell for the business due to the large punitive measures stipulated in the Act, as well as the fact that any loss or theft of data will need to become public record. He believes every organisation needs to take POPI seriously, regardless of company size. “Smaller companies are most likely processing the largest volume of personally identifi able information that the Act speaks to. This information needs the correct measure in place to protect it, and by showing leadership in the uptake of the Act, the SME market will ensure that other segments take the Act seriously. No business is immune
to the Act and the sooner the organisations in the SME market realise that and take appropriate action, the sooner they will ensure that they are not inadvertently targeted by the Regulator for review or by those with nefarious intent for exploitation.”

GOVERNMENT INVOLVEMENT

Communication between Government and business owners should be improved, says Schofield. “We should be using the technology available within government to disseminate information about business legislation and regulation and then to confirm compliance. Every enterprise that is registered with CIPC [Companies and Intellectual Property Commission], the SETAs [Sector and Education Authority] and/or SARS [South African Revenue Services] can be sent information in an easily digestible format and can be required to submit annual returns of compliance – they could even be required to show they have registered their ‘Information Officer’.”

He believes beyond such registered businesses, there is little purpose in pursuing enterprises below the official ‘radar’ – they are either not risking themselves or their stakeholders’ data to privacy violations, or they are non-compliant in many other areas.

“In addition to direct Government communication, the professional advisers (accountants and auditors) should make it part of their professional duties to make their small enterprise clients aware of POPI and PAIA legislation and to assist them with achieving compliance. I would suggest that industry associations do the same, although their membership represents a miniscule proportion of the total number of SMEs operating in SA,” he says.

Berry believes engaging the services of experts to assist in disseminating the relevant information in the face of complex legislation, is advisable. “SMEs can seek advice on POPIs impact on that particular organisation and get help devising an appropriate implementation plan. There are several organisations offering varying levels of POPI advisory services, ranging from gap assessments to full ISO27001 security audits.”

Furthermore, she continues, there is a significant amount of information freely available online which not only explains the intricacies of the Act, but also provides implementation checklists to assist SMEs in complying.

SLOW UPTAKE

The reason why smaller companies are not taking the Act seriously enough can be attributed to a yet undetermined commencement date.

“Although POPI was signed into law in November 2013, the actual commencement date of the Act is still to be determined by the President – perhaps this is a contributing factor towards the feeling of complacency,” Berry explains. “Furthermore, given that the number of South African data breaches publicised are few and far between, there still seems to be a misconception that South Africans are immune to severe data breaches. That being said, it does appear that awareness has grown significantly in the past few months – largely due to the amount of press and training being provided on the subject.”

Says van Vuuren, “Many businesses in the SME market are awaiting the effective date before looking at working towards compliance.” He believes SMEs require precedence and to see the attitude and approach of the regulator and its vigilance in enforcing it, before they will begin uptake efforts to comply.

According to Malan, SME owners and operators have a lot to worry about already without POPI and they often move from one crucial task to another. “POPI is not seen to be a crucial task at this stage because of the grace period. In some cases there is also a belief that certain businesses don’t deal with large volumes of protected information and they think the exposure is low-risk so they try to skirt the issue,” he says.

Schofield believes poor communication to small business owners, poor awareness of the effect that the Act will have on small enterprises, and the perennial South African characteristic which is to take action only when it’s necessary are some more reasons to a slow uptake by SMEs.

ADDRESSING POPI

The good news is, there are several approaches smaller businesses can take in order to become POPI compliant.

Berry believes planning is everything. “By activating the process now, the impact on cash flow will be reduced – organisations that start the compliance process immediately prior to the cut-off date will definitely feel the impact more. Careful planning will also facilitate a more practical and smooth conversion to compliance, with economical savings the upshot. Forewarned is forearmed!”

According to van Vuuren, SMEs need to firstly evaluate how they collect and process personally identifiable information. “They need to gain a greater understanding of the information they have collected, and how it is processed, where it is kept and who has access to it. If they are utilising an external organisation to deliver IT services then they need to get reassurances from their service providers that they are operating under the auspices of the controls stipulated in the Act. Stakeholders in companies which operate in the SME segment need to be cognisant of the fact that they are personally responsible for ensuring that the business complies with the Act. These stakeholders should evaluate the business model of how they manage and process personally identifiable information and adopt the controls as best they can to ensure that they are complying,” he says.

Dawie Malan, Ricoh SA

Malan agrees a good first step for SMEs is to figure out what information they’re collecting, storing, using, processing and destroying. “Then they need to figure out where it all exists and if it is secured. They also need to know that it can be audited,” he says.

Automation obviously simplifies the process immensely, Malan says. “With the interconnectedness of technologies and devices today it is also technologically feasible and eminently plausible to tie all the threads together, be they from a Smartphone with e-mail and address book to a server running an accounting package and producing invoices and delivery notes. In many cases SMEs don’t have formal
systems because they have grown organically from small or even micro businesses to become larger. Their systems often haven’t kept pace so putting in some form of formal system, even a basic one, can not only put them in the green for POPI compliance but also improve their business operations.”

He believes this will lead to a win for everybody. “The real edge, though, will be figuring out what needs to be taken care of to limit expense and any potential business disruption and ensure that any work is
completed quickly, effectively and costeffectively,” he says.

Schofield states, “Quite simply, if SMEs are not yet aware of the issues, they will not address them.” He explains that POPI’s delayed enforcement puts it on the ‘back burner’ for even those business owners who are aware of the requirements. “While ignorance of the law is no excuse, for many, ignorance is bliss,” he concludes.