Menu
CBN-banner

You can soon demand that companies remove your personal data from their systems

Featured

Data - [http://www.blogcdn.com/jobs.aol.com/articles/media/2012/09/man-phone-looking-620jt092512.jpg] Data - [http://www.blogcdn.com/jobs.aol.com/articles/media/2012/09/man-phone-looking-620jt092512.jpg]

The Protection of Personal Information Act (POPI) is expected to be introduced soon, bringing with it a host of new changes regarding privacy laws in South Africa.

Chief among these are new protections for every day South Africans as well as a number of mandatory changes for businesses in South Africa.

Associate at Norton Rose Fulbright, Tatum Govender says that, while the official date for POPI’s implementation hasn’t been announced yet, South African companies will have just 12 months from the commencement date to ensure they are compliant.

At this point, South Africans consumers may request a take down of any personal information stored by a South African business, following the prescribed manner.

While this manner will only be released in the final regulations, it is likely they will follow the Promotion of Access to Information Act (PAIA) in which you fill out a specific form, (available here and here) and pay a prescribed fee.

In addition, the requester must provide adequate proof of identity.

“Businesses can refuse to remove personal information if they can provide credible evidence as to why it should not be removed,” Govender said.

“If an agreement with a client cannot be reached on whether or not the information should be removed, the information must be marked so that anyone who accesses it is aware that a request for removal was made but not granted.”

Govender said that if a business fails to respond to a request for removal, or refuses to remove the information, a complaint may be lodged by the client, or any other person, with the Information Regulator. The Information Regulator may then undertake an investigation.

“The Information Regulator’s investigative powers are wide and include inspections of premises, entry search and seizure and calling of witnesses,” she said.

Big challenges for business

Govender noted that, in addition to the take down requests, companies will also no longer be allowed to keep excess information, and can only keep copies which are required for a specific, legitimate purpose.

Speaking to BusinessTech, Mike Rees, territory account manager for Commvault South Africa, said that South African businesses now faced a mammoth task in ensuring they complied with the new regulations.

One of the biggest challenges is the fact that businesses can only store and access limited copies of customer data.

He highlighted that many organisations have multiple copies of customer data stored in various locations across the business, for access by various departments.

“From a business perspective it’s actually quite challenging,” he said.

“Currently you have your information in a database, in a spreadsheet, on multiple laptops as well as in the cloud. You can’t just leave it up to the IT department to track this information. How do I remove the data even if I don’t know where it is?”

He noted that one of the easiest way to find this information is through indexing and searches, but there was still no single solution for South African businesses.

“There’s not some sort of Panacea. There’s no way to ‘take this’ and all of your pain will go away.”

As a result, Rees believes that a number of South African businesses will have to drastically change some of their current business practices.

Citing the iStore as an example, he noted that it will no longer be possible for them to request an ID when buying an Apple product if it’s information they already have on their database.

Penalties

Govender said that, in addition to action taken by the information regulator, certain actions are outright offences (eg. obstructing the Regulator) and may result in immediate criminal prosecution or administrative fines.

With such a big change being required of South African businesses, and questions of who will enforce the new laws, Rees believes that many companies may opt to simply take the fine.

However, he said that will not be an option for larger companies and businesses looking to do international deals, as the law requires them to be POPI and GDPR (international) compliant.

It is no longer a case of whether or not you should or shouldn’t comply, Rees said, but rather a question of what tools are at your disposal as a business to make the transition easier.

“Do it because it makes good businesses sense, not because someone is holding a stick,” he said.

 


 

Source

BusinessTech

back to top

Industries

About us

Follow us

Follow us @BusinessNewsCT

BusinessNewsCT Cape Town’s property market is so whack – a parking bay is selling for R1.1m - https://t.co/ZUoTztLmAC https://t.co/FlQoGqRVMq
16hreplyretweetfavorite
BusinessNewsCT A look at the new electric Jaguar I-Pace SUV coming to South Africa - https://t.co/Tbk3RnXRz4 https://t.co/rv4p5Vqf6Q
16hreplyretweetfavorite
BusinessNewsCT Wiese loses billionaire status as Steinhoff continues massive sell-off - https://t.co/N6tBqwyL6E https://t.co/PdoK7Prh5C
16hreplyretweetfavorite