Last week, ITWeb published an article that Adv. Pansy Tlakula has written to president Ramaphosa to sign POPIA into law by the end of the first quarter, 2020. This would mean that by April, you would need to start complying with the multitude of facets that this law entails.
Fear, Uncertainty and Doubt
In the InfoSec community, we speak about FUD, and how it spreads like wildfire. I am already seeing media releases claiming that people are going to get arrested and that there are going to be immediate R10-million fines issued. It is incredibly unlikely that these two very specific consequences are what is going to happen. The fines in data privacy tend to work on a sliding scale, relative to the business involved, the resources they have available, and whether they have put measures in place to comply with legislation. The more you have in place, the more leverage you have against the more serious side of the sliding scale.
You Need To Get Started!
For the last 7 years, people have lapsed into a POPIA fatigue. Understandably so, as we have heard this story many times before and it has never resulted in the act being promulgated. This time round, I believe we are in fact going to see the act going in. Coupled with the regulator and various other bodies writing to the president in order to sign the act, we also need the act to be taken seriously by other countries in the world with privacy regulation already in place. If we were to be regarded as “adequate” by the EU, it would mean far easier trade in terms of data processing as the current rules and regulations (and subsequent documentation) are incredibly onerous on cross-border transfers.
Should POPIA come about in April, you will have 12 months to comply with it. I can tell you from experience, that is NOT a lot of time! Many of the ways you currently do business will need to change from the ground up.
Get Introductory Training
Your first port of call should be introductory training. I offer a 2-3 hour workshop for all staff (including the executive) to educate you on the basics of what this means for you and your business. We have a tendency to think that Privacy is the domain of the IT department, however IT’s responsibility comes in at less than one eighth of your compliance exercise (email me if you’d like the reasoning behind that)!
I can’t recommend @rossgsaunders enough when it comes to data protection. He has a two hour intro presentation which should be mandatory for everyone in your business.
— Gary Meyer (@garymeyerza) January 31, 2020
To find out more about my training, book a no-obligation slot in my calendar and see how I can help you become aware of the very large exercise that is looming when this regulation comes in.
Text in cover image taken from the referenced article on ITWeb.