The pending Protection of Personal Information (PoPI) Bill will enable more trade and information flows with other countries that have privacy laws, as well as provide businesses with opportunities to reduce the costs of storing unnecessary data, says advisory firm Deloitte legal director Dean Chivers.
Companies often replicate data across multiple divisions and store duplicates of data at significant cost, while finding and updating information on clients in multiple silos is often a difficult exercise in large organisations, says Deloitte risk advisory director Werner Swanepoel.
“The requirements of PoPI present companies with the opportunity to institute good data management practices that will enable them to have a unitary view of clients across multiple divisions, reducing costs and improv- ing client service,” he explains.
Cross-border data flows from South Africa were not regulated, but will be heavily regulated once the PoPI Bill is promulgated. This will enable South African companies or local subsidiaries of multinational companies to send data to and receive data from countries that have personal data privacy laws, says Chivers.
Improved cross-border data flows will enable multinationals to centralise their data repositories for their international territories, reducing local caching costs, and will enable local companies to exchange more information securely in seeking international business opportunities.
“The PoPI Bill presents an opportune time for companies to implement data management and analysis systems that can boost business performance, as companies will have to find and delete significant amounts of data.”
The Bill requires companies to know where their data is stored and to ensure that it is secure, even if hosted with third-party service providers or partners in other countries. If data is sent to a country that does not have personal data protection laws, then a contract must be concluded and implemented to ensure sufficient protection to meet the Bill’s requirements.
Data can still be held for research purposes, but any potential information that can identify individuals or companies from the data must be removed from the data sets, notes Chivers.
“South Africa’s data management practices, in general, are immature, but the law will bring the country in line with common international personal data privacy laws. The requirements of the Bill will enable companies to consolidate their data and improve their data management systems to improve service to clients, while complying with the law,” says Swanepoel.
If companies regard the Bill as another compliance hurdle, they will not reap the benefits from the process of investigating and managing their data. However, if companies use the process to derive value from their data sets, then compliance with the Bill will be much easier and may improve their business practices, he emphasises.