Payments industry prepares for POPIA
The time for the Protection of Personal Information Act (POPIA) has arrived with companies expected to be fully compliant by 30 June 2021. What this compliance means, and how organisations are expected to achieve it, depends on the sector, the company’s existing security posture, and how far it has already gone towards achieving the mandates outlined by the Act.
POPIA was promulgated in 2013 and came into effect with a twelve-month ‘grace period’ from 1 July 2020.
The recent poll undertaken by ITWeb and KnowBe4 – receiving 176 responses with 70% of respondents being at executive or middle management level – found that 64% of respondents believe they had sound routines in place for reporting data breaches, but 18% indicated they don’t.
“Not a week goes by without another data breach hitting the news. Organisations need to prepare for security incidents such as data breaches,” says Anna Collard, SVP of content strategy and evangelist at KnowBe4 Africa.
The Act also could not anticipate a global pandemic in which working from home has seen 52% of survey respondents on POPIA readiness admit that working from home due to the COVID-19 pandemic has affected their privacy programme1.
For the payments industry, organisations have to commit to providing individuals with their data protection rights and have privacy measures focused on achieving the best personal information standards in line with the law.
Karen Nadasen, CEO of PayU South Africa and Chairperson of the Ecommerce Forum SA (EFSA) explains, “We want to be part of making sure that organisations – small, medium and large – understand and meet the requirements of the Act and that we, at PayU, support the spirit and purpose of POPIA. Our commitment to privacy principles is clearly outlined on our website.”
Several steps must be taken to ensure that the business is ready for the implications of POPIA. Given the extent of data taken at the point of purchase, those in the payment industry must pay great attention to the requirements.
The areas that have received the most attention in privacy programmes are the education of staff (67%), tightening technical controls (61%) and identifying their personal information assets (66%), but there are many other factors to consider1. The priorities include:
Appoint the right people
- Designate the right number of people who can assist you in meeting the compliance requirements of POPIA and that can help you to identify your key stakeholders.
- The Act has implemented numerous deadlines over the years and the first for 2021 is that organisations are required to appoint an Information Officer by 31 March and have been gazetted to start by 01 May 2021. There’s no penalty involved if the role is not appointed by this date, nor does the person have to be independent. The CEO will be the de facto Information Officer if no one is formally appointed. Their role is to undertake the compliance programme and to ensure that the organisation has done its data mapping, breach incident management report, and knows the location and status of its data.
- POPIA makes use of the structures already put in place by the Promotion of Access to Information Act (PAIA) that provides the toolkit that companies need to appoint an Information Officer and outline their respective duties and responsibilities under both POPIA and PAIA.
Ensure your compliance programme is ready
- Your compliance programme must meet the requirements of POPIA, including ensuring that data subjects have access to their data subject rights. In this process, you will need to identify if you are the party responsible for the data, or if you are the operator. If the latter, you have to develop and test your breach reporting process to the Information Regulator, data subjects and responsible parties.
Analyse your risk
- Determine the risks your company faces with regards to your processing of personal information. This is a multi-pronged approach that requires you know your data and perform privacy impact assessments for high-risk processing.
- You also need to know and define the legal bases required and be transparent when it comes to your data processing activities.
- It is also important to identify all the third-parties that you share personal information with, and to put a third-party management process in place. This can be further enhanced by ensuring that the mechanisms used to transfer personal information, both inbound and outbound, are secured correctly and meet the correct personal information transfer protocols.
People and culture
- It is as important to focus on the culture of the business and the training of your people as it is to focus on the minutiae of the law.
- Employees need to understand their role in ensuring the protection of personal information and security, and each person plays a pivotal role in strengthening compliance. A culture of awareness will help ensure that people understand, implement, and respect the constitutional right to privacy.
Assess your readiness
- The ITWeb and KnowBe4 poll found that “just under one-third (30%) indicated they were well prepared, while 39% said they were “somewhat” ready, but more work needs to be done, 14% of the respondents have only just started, while 8% admitted they are not prepared at all”, adds Anna Collard.
- Get systems and plans in motion, as swiftly as possible, to ensure that they are prepared for what POPIA will be bringing to the compliance and regulatory table. Payments organisations have to commit to providing customers with their data subject rights under POPIA.
Organisations looking for further information on how to embed POPIA compliance can visit the Information Regulator website.
8 Comments
Leave a Comment
Become a member
Join the Ecommerce Forum South Africa and benefit from industry insights in South Africa and Africa.
Sign up to newsletter
Sign up to our newsletter and stay informed of the progress we are making at the Ecommerce Forum South Africa with government during Coronavirus.
Regards for all your efforts that you have put in this. very interesting info .
I have learn several good stuff here. Certainly value bookmarking for revisiting. I surprise how a lot effort you place to create any such wonderful informative site.
That is really fascinating, You’re an excessively skilled blogger. I have joined your feed and sit up for seeking extra of your magnificent post. Also, I’ve shared your site in my social networks!
Excellent post. I was checking continuously this blog and I am impressed! Extremely helpful information specifically the last part 🙂 I care for such info a lot. I was looking for this particular info for a very long time. Thank you and best of luck.
Hey everyone! I’ve just stumbled upon an amazing resource that’s all about cryptocurrency exchanges. If you’re keen on exploring different cryptocurrency exchanges, this might be the perfect resource for you!
The site (https://cryptoairdrops.ru/) offers in-depth analysis of a wide range of crypto exchanges, including the ins and outs of their trading platforms, security protocols, supported coins, and overall reliability. Whether you’re a beginner just starting out or an experienced trader, there’s something for everyone.
What I found particularly helpful was their comparison tool, which made it super easy to evaluate different exchanges and find the one that best fits my needs. They also cover the latest trends in the crypto world, which keeps you informed on all the latest happenings.
If you’re looking into exploring different cryptocurrency exchanges, I highly recommend checking this site out. It’s a goldmine of information that can help you make educated moves in the dynamic world of cryptocurrency.
Let’s make the most of this resource and help each other out! Would love to hear your thoughts and experiences with different exchanges as well.
Hello there! This article could not be written much better! Looking at this post reminds me of my previous roommate! He continually kept talking about this. I will forward this post to him. Pretty sure he’s going to have a great read. Thanks for sharing!
[url=https://www.fantasycostumes.com/mickey-mouse-clubhouse-rainbow-minnie-toddler-costume/]killer clown mask[/url]
Арт Реклама – компания, которая оказывает полный комплекс услуг по изготовлению наружной рекламы. Наша политика – высочайшее качество за адекватную цену. Ценим доверие клиентов и репутацию. https://xn—-7sbasd0ahefwoi.xn--p1ai – сайт, где можете узнать нужную информацию о наших услугах. Поможем подобрать вывеску по кошельку и вкусу, мы экономим ваше время. Бесплатно консультируем по интересующим вопросам. К любому заказчику выполняем индивидуальный подход и стараемся удовлетворить самые требовательные пожелания. Обращайтесь уже сейчас!
[email protected]