With PoPIA looming, companies need to be aware of the rules and requirements


Xperien’s Wale Arewa takes a deep dive into the rules of PoPIA and the consequences of breaking them.

The financial impact of a security breach could be critical and sometimes mean closure for most small businesses. It’s also a huge struggle for companies to keep up-to-date with regulations, compliance and other legal requirements.

Many businesses are unaware of the risks, but unfortunately ignorance of the law is no excuse. They will be liable should any breach occur. The penalties are severe, and non-compliance could incur fines of up to R10 million or even imprisonment.

The Protection of Personal Information Act (PoPIA) will come into full effect on 1 July 2021. With the deadline looming, there is a lot of confusion and ambiguity regarding its definitions, requirements and enforcement thereof.

PoPIA regulates the usage and collection of personal data. Companies are required to handle all data carefully and provide customers with tools to update or delete personal information. They also need to alert consumers immediately if there is any form of breach.

The Act affects everyone, from financial institutions, data management companies, media companies, marketers and consumers. This means everyone should be aware of the Act and the consequences for breaking the rules.

According to legislation, businesses are required to manage the complete destruction of all data when IT assets reach end-of-life. PoPIA requires IT asset managers to practice due diligence and ensure their storerooms go through the expected data erasure techniques essential to protect company data.

With companies constantly acquiring new technologies, there is a corresponding and often overlooked increase in retired IT assets. These outdated PCs, laptops, monitors and other IT equipment tend to quietly pile up in storerooms.

Companies that manage IT asset disposition internally continue to struggle with data security and proper environmental recycling. This could lead to reckless disposal of electronics – a huge source of illicit information – which often puts companies at risk.

They need to comply with the growing number of data protection regulations and standards. Failure to comply will result in steep fines for violators.

They have had ample time to prepare, but many are now scrambling to become compliant. They have realised that the impact is enormous, and that significant and unresolved personal data protection issues could result in financial penalties.

IT disposal also has other legislative requirements, compliance to the National Environmental Waste Management Act 2008 (NEMWA 2008), the Consumer Protection Act 68 of 2008 (CPA) and General Data Protection Regulations (GDPR).

Compliance affects everyone from employee, suppliers and third-party data, as well as the systems that process it and how it is retained and destroyed. It includes the way personal information is stored, handled, processed, protected and who has access to it.

Companies need to disclose what information is being gathered and how it will be stored. This could include staff records, ID numbers, drivers' licences, medical history or financial information.

Business owners have lost track of all the devices that are accessing their networks and more importantly, which staff are accessing confidential information. They urgently need to secure their data, both internally and externally, to ensure their data is not compromised or that they fall prey to a data breach.

In nearly every business, employees have access to data that they shouldn’t have. This makes businesses vulnerable to data breaches, especially with cybercrime on the rise and companies of all sizes being targeted. But whose responsibility is it to know which staff are privy to the most confidential digital assets?

Few businesses realise that even the data that resides on personal devices could result in a data breach. They also don’t understand that it’s possible to recover the data from damaged hard drives, broken phones, credit card machines and even memory cards.

In conclusion, abandoned hardware is by far the biggest cause of data breaches and the haphazard approach to IT Asset Disposition (ITAD) is costing companies millions of rands. Most IT managers don’t have a clue what hardware they own or where the old redundant devices have been stored.

Compliance is fast becoming a competitive advantage. Clients don’t want to be put at risk, and data breaches and issues related to regulatory compliance, associated costs and loss of reputation will have dire consequences for businesses that suffer data breaches.

Related articles