Disclosure/Notification: “Oops … sorry to HAVE to tell you … but we’ve lost your data … again …”

As a custodian of personal information it is not only your responsibility to ensure you put adequate physical and electronic security measures in place to protect your data subjects’ personal information but also to notify them if such measures have failed. Such communication could take the form of:

1. a letter mailed to the last known physical or postal address;
2. an e-mail sent to their last known e-mail address;
3. communication placed in a prominent position on the website of the responsible party;
4. published in the news media; or
5. as may be directed by the Regulator.

As an international software vendor we deal with issues of data security on a daily basis and know that consumers are in for a real shock once this legislation comes into effect. At the moment ignorance is bliss. Prepare for regular sleepless nights over something that you can do very little about as once the proverbial cat is out of the bag there is no putting it back and your only option is to take precautionary measures to protect yourself (like changing pins or passwords).

As explained later, the general consumer has no idea of how often their data gets lost or stolen. It is less a matter of if their data gets out but rather when and how often it happens. Many companies do not even know themselves how often their data gets lost or stolen and even if they do, before PoPI, they probably had no obligation to tell their customers about it. The PoPI Act will not prevent these breaches, at least not directly, but it will bring about a new level of awareness and critical focus on these events when they occur. It is unfortunate though that the more diligent and scrupulous companies will likely receive the most negative attention in the early days due to their commitment to transparency and ethical behaviour, as opposed to companies who take the risk of non-disclosure or who cannot track (just do not know of) their own breaches. Furthermore, the long term side effect of these notifications could be that people become desensitized and/or just give up when they see how often their information is compromised and how little there is they can do about it.

Companies bound by codes of conduct or other regulatory bodies, such as in the financial services industry, should consider that their compliance and certification statuses could in the future depend on their ability to effectively implement and monitor their compliance to PoPI. Consider that all breaches are now reported to the Regulator and it is not a stretch to consider that a body like the Financial Services Board for example could consider these breaches as part of their audits.

The legislation is clearly necessary to keep up with technology in today’s electronic world and there should be consequences for not taking appropriate actions to protect this information. At WorkPool we embrace the ideals around transparency, accountability and responsibility that the PoPI legislation will bring about. However, this notification requirement (and resulting bad press and penalties) could cripple small businesses in South Africa who do not have the man power, systems, I.T. skills and infrastructure to make this a reality. Small businesses already devote a significant amount of resources in time and money to ensure compliance with existing regulations, not to mention labour related challenges. PoPI could be the last straw that breaks the camel’s back. We do not see how small businesses will be able to integrate the ideals and assumptions of essentially first world legislation into a third world environment in a way that is practical, while allowing them to remain competitive, if they do not have a business nervous system to manage this and take action immediately.