South African Data Protection Law: Implications for Security Managers

The advent of developments in technology and access to information has raised the profile for data protection and privacy globally.

Legislators across the world have grappled with the treatment and flow of personal information, and South Africa is no exception. The enactment of the Protection of Personal Information Act 4 of 2013 (“POPI“) has introduced a new regime for data protection in South Africa.

Whilst not all of the provisions of POPI have come into force, the provisions under POPI pertaining to the establishment of an Information Regulator and the making of Regulations have recently come into force.  The President will determine date(s) for the remaining provisions under POPI to come into force at a later stage.

The purpose of POPI is to ensure that all South African institutions (both private and public bodies) conduct themselves in a responsible manner when collecting, processing, storing and sharing personal information.

POPI facilitates accountability by holding public and private bodies liable for the abuse or compromise of a data subject’s personal information by imposing fines and/or imprisonment for wrongdoers.

It is therefore imperative for organisations across South Africa to take careful note of the impact that this piece of legislation will have on their day-to-day activities.

POPI treats personal information as “precious goods” and aims to bestow upon data subjects certain rights of protection and the ability to exercise control over:

when and howthey choose to share their information (consent required unless exclusions apply);
the type and extent of information they choose to share (must be collected for lawful and valid reasons);
transparency and accountability on how their data will be used (limited to a specified purpose) and notification if/when the data is compromised (in terms of a prescribed breach notification process);
access to their own informationas well as the right to have their data removed and/or destroyed should they so wish (facilitating data subject participation);
personal information being kept up to date, accurate and complete (maintaining information quality); and
who has access to their information and how it is secured (maintenance of technical and organisational security measures to prevent loss, damage and/or unauthorised access to personal information).

For the security industry, POPI requires a complete overhaul on the historical treatment of personal information and there can be no doubt that this comes at a cost. Suppliers of physical and technological security solutions will now need to ensure that all personal information collected and processed on behalf of customers (including CCTV footage and access control systems) will be compliant with POPI.

Customers who wish to purchase security solutions will also need to ensure that contracts with suppliers adequately address the abovementioned requirements under POPI.

POPI also presents a vast array of opportunity for the security industry, considering the global threat to privacy and the need for organisations to constantly adopt new technology solutions to achieve compliance with data protection laws.

There are numerous lessons to be learnt from the implementation of data protection laws in Europe and the world over, and it is important for every individual and corporate in South Africa to understand the import and value of POPI.

The post South African Data Protection Law: Implications for Security Managers appeared first on IFSEC Global.