POPIA from a Contract Management Perspective
Personal information has been defined by the Protection of Personal Information Act 4 of 2013 (“POPIA”) as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. The act goes in to further depth in Section 1 (a) to (h).
With the inconceivable rise of free flow of information over the internet, the popularity of social media, high rising identity theft and other intrusions on the privacy of individuals, state leaders world-wide have become increasingly concerned with the purposes for which organisations collect personal information, why they keep it, and how they protect it.
Over the last years, South African legislators have been able to draw on privacy as well as personal information policies and directives developed and experience acquired in other countries, thus selecting the best of the best for our South African privacy legislation. South African legislators have risen to astonishing heights with the European Union following South African legislation in the similar and soon to be enacted General Data Protection Regulation (“GDPR”).
The purpose of POPIA is to ensure that all South African corporates, state institutions, government departments and other persons who access private personal information, conduct themselves in a responsible manner when collecting, processing, storing and sharing another person’s (“Person” includes “Juristic” persons) personal information by holding them liable should they misuse or compromise your personal information in any way.
The challenge for organisations irrespective of their size is one of compliance. The requirements outlined by the act will have a significant impact on the way they do business.
Organisations, unrelated to their business trading, collect personal information daily. Each drafted, negotiated and signed off contract (all types) contains personal information of a natural or juristic nature. The information contained in these said contracts will therefore fall under scrutiny of adequate consent, data processes and security followed, these being the most pivotal requirements contained in POPIA.
POPIA demands very stern compliance requirements relating to the protection of information. Failure of compliance by an organisation with the requirements stipulated in POPIA could not only result in lawsuits and reputational damage but also a cumbersome fine from the Information Regulator.
The Act states that organisations must “identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control”. We have most certainly begun our journey in the 4th industrial revolution in which personal information has become a “risk” in so far as non-consented acquisition of information from a data subject or spillage due to low security or security breaches.
Procurement departments, Human Resources departments, Legal departments, Personnel Recruitment, Retail as well as the education sector are only some of the high-risk verticals in which the acquisition, process, utilisation and storage security of personal information must be urgently addressed and reviewed to ensure compliance.
In this very fast paced 4th Industrial Revolution, IT systems have become the lifeline of all businesses today, with organisations IT departments becoming the corner stone of successful businesses. POPIA has added personal information to the departments bouquet of responsibilities. In light of POPIA, King IV, the Companies Act of 2008 and the imminent enactment of the Cyber Crime Bill, the clock is ticking for organisations to actively seek to not only educate themselves on IT systems that are required to ensure compliance but also the ROI on such systems, as it will be far greater than reputation alone.
Mitigate your organisations risk of non-compliance, contact Realyst Contract Risk Management Pty Ltd, for a secure, compliant and efficient Contract Management Solution