Payments industry prepares for POPIA

The time for the Protection of Personal Information Act (POPIA) has arrived with companies expected to be fully compliant by 30 June 2021. What this compliance means, and how organisations are expected to achieve it, depends on the sector, the company’s existing security posture, and how far it has already gone towards achieving the mandates outlined by the Act.

POPIA was promulgated in 2013 and came into effect with a twelve-month ‘grace period’ from 1 July 2020.

The recent poll undertaken by ITWeb and KnowBe4 – receiving 176 responses with 70% of respondents being at executive or middle management level – found that 64% of respondents believe they had sound routines in place for reporting data breaches, but 18% indicated they don’t.

“Not a week goes by without another data breach hitting the news. Organisations need to prepare for security incidents such as data breaches,” says Anna Collard, SVP of content strategy and evangelist at KnowBe4 Africa.

The Act also could not anticipate a global pandemic in which working from home has seen 52% of survey respondents on POPIA readiness admit that working from home due to the COVID-19 pandemic has affected their privacy programme¹.

For the payments industry, organisations have to commit to providing individuals with their data protection rights and have privacy measures focused on achieving the best personal information standards in line with the law.

Karen Nadasen, CEO of PayU South Africa and Chairperson of the Ecommerce Forum SA (EFSA) explains, “We want to be part of making sure that organisations – small, medium and large – understand and meet the requirements of the Act and that we, at PayU, support the spirit and purpose of POPIA. Our commitment to privacy principles is clearly outlined on our website.”

Several steps must be taken to ensure that the business is ready for the implications of POPIA. Given the extent of data taken at the point of purchase, those in the payment industry must pay great attention to the requirements.

The areas that have received the most attention in privacy programmes are the education of staff (67%), tightening technical controls (61%) and identifying their personal information assets (66%), but there are many other factors to consider¹. The priorities include:

Appoint the right people

• Designate the right number of people who can assist you in meeting the compliance requirements of POPIA and that can help you to identify your key stakeholders.
• The Act has implemented numerous deadlines over the years and the first for 2021 is that organisations are required to appoint an Information Officer by 31 March and have been gazetted to start by 01 May 2021. There’s no penalty involved if the role is not appointed by this date, nor does the person have to be independent. The CEO will be the de facto Information Officer if no one is formally appointed. Their role is to undertake the compliance programme and to ensure that the organisation has done its data mapping, breach incident management report, and knows the location and status of its data.
• POPIA makes use of the structures already put in place by the Promotion of Access to Information Act (PAIA) that provides the toolkit that companies need to appoint an Information Officer and outline their respective duties and responsibilities under both POPIA and PAIA.

Ensure your compliance programme is ready

• Your compliance programme must meet the requirements of POPIA, including ensuring that data subjects have access to their data subject rights. In this process, you will need to identify if you are the party responsible for the data, or if you are the operator. If the latter, you have to develop and test your breach reporting process to the Information Regulator, data subjects and responsible parties.

Analyse your risk

• Determine the risks your company faces with regards to your processing of personal information. This is a multi-pronged approach that requires you know your data and perform privacy impact assessments for high-risk processing.
• You also need to know and define the legal bases required and be transparent when it comes to your data processing activities.
• It is also important to identify all the third-parties that you share personal information with, and to put a third-party management process in place. This can be further enhanced by ensuring that the mechanisms used to transfer personal information, both inbound and outbound, are secured correctly and meet the correct personal information transfer protocols.

People and culture

• It is as important to focus on the culture of the business and the training of your people as it is to focus on the minutiae of the law.
• Employees need to understand their role in ensuring the protection of personal information and security, and each person plays a pivotal role in strengthening compliance. A culture of awareness will help ensure that people understand, implement, and respect the constitutional right to privacy.

Assess your readiness

• The ITWeb and KnowBe4 poll found that “just under one-third (30%) indicated they were well prepared, while 39% said they were “somewhat” ready, but more work needs to be done, 14% of the respondents have only just started, while 8% admitted they are not prepared at all”, adds Anna Collard.
• Get systems and plans in motion, as swiftly as possible, to ensure that they are prepared for what POPIA will be bringing to the compliance and regulatory table. Payments organisations have to commit to providing customers with their data subject rights under POPIA.

Organisations looking for further information on how to embed POPIA compliance can visit the Information Regulator website.