Compliance challenges affecting South African businesses today
On 1 July 2021, South Africa’s Protection of Personal Information Act (POPIA) came into full effect. However, there is still a long compliance road ahead for most South African businesses.
Our compliance and governance experts dive into what will be some of the key compliance challenges organisations face as they adapt to POPIA in action.
1. POPIA in practice
While businesses have had several years (and a twelve-month grace period) to prepare for POPIA in theory, many are still grappling with the practical implications of the regulatory requirements. As a result, there is still a lot of trial and error when it comes to the reality of things like responding to data subject access requests.
Data subject access requests are very labour intensive. Organisations need to ensure they have adequate and trained resources available to handle them while not hindering business as usual. Of course, that’s very difficult to do without some idea of the volume and extent of access requests you’re likely to receive from the public, especially since you can’t predict this if you’ve never had to handle them before.
It’s not just resource allocation that is going to take some time to get to grips with, either. POPIA’s actual legislation is still unclear in some areas as well.
POPIA is unique in that it provides protection for personal information of juristic persons (like companies and NGOs) as well as natural persons. Unfortunately, there is very little detail on what constitutes personal information in the context of a juristic person. The Act is very explicit regarding personal information for natural persons (such as gender, marital status, health information), and far less so for their juristic counterparts. Aside from the obvious examples, such as company registration number, VAT number and financial information, there’s little guidance within the legislation. We expect a lot of organisations will want more information from the Regulator on this as time goes by.
Another example relates to personal information impact assessments. Information Officers are obliged, in terms of the regulations, to conduct these assessments on all processing activities though neither the Act nor the regulations provide much guidance around what these should look like or cover except to say that they should ensure that adequate measures have been implemented to comply with the Act.
2. The convergence of law and technology
With the large majority of personal information and data being created, shared and stored electronically, technology has become a vital component of compliance. As a result, legal/compliance teams are having to collaborate with IT – often for the very first time.
IT can no longer have free rein to switch technologies on and off without understanding the legal ramifications and Legal can’t keep doing things in their traditionally manual, analogue way. Technology needs to be leveraged to facilitate and enable compliance, but the relationships needed to achieve this have not typically existed between IT and Legal before now.
A lot of organisations are struggling to effectively bridge this gap and forge the right communication channels.
It’s something we’re helping a lot of our clients address, with our own IT and legal experts acting as ‘translators’ to get everyone on the same page and speaking the same language.
There are other mindset shifts required by the convergence of law and technology, too.
Historically, a lot of organisations retained their paper-based documents using filing rooms and outsourced document storage facilities, limited only by the cost of their physical retention. When digital became the norm, retaining information became even easier and more cost effective and so we saw an escalating tendency to retain data indefinitely.
Now, with laws like POPIA in effect, however, organisations are legally required to delete personal information that has outlived the purpose for which it was collected.
Companies are having to overcome their ingrained hesitancy to delete data, and start leveraging technology to not only apply appropriate retention policies, but compliant disposition policies as well.
3. Compliance skills shortage
Technology evolves, regulations adapt, and compliance goal-posts shift. Without the right experts on board, organisations (particularly in highly regulated sectors) will struggle to stay on top of their compliance obligations moving forward.
Recruiting personnel with the right skills is becoming increasingly challenging, however.
Compliance experts need a much wider range of skills today than ever before. It’s not just legal knowledge – you also need to understand the technology landscape, business strategy, and how to work effectively with people from a variety of different business departments.
As if finding this relatively rare combination of skills wasn’t difficult enough, competition to recruit this special breed of compliance specialists is at an all-time high.
Very few businesses are going to be able to build their ideal compliance team through recruitment alone. There’s going to be a lot of on-the-job learning taking place. Having the support of a partner like Cloud Essentials during this process can be invaluable. You’ll have all the in-depth, specialist knowledge and advice you need to put the right people, processes and technology in place without putting your business at risk in the interim.