Most corporates have terabytes of unstructured data floating around, which they do not know they have. New legislation is about to make life very interesting in this sphere. The Protection of Personal Information Act (POPIA or the Privacy Act as it is more commonly known), aims to ensure that consumers’ rights to privacy of data are protected.
Ok, so that’s a bit of a mouthful. In plain English, the Act aims to stop those big nasty corporates, or small nasty criminals, from abusing the information they have legitimately or illegitimately gotten their grubby paws on. So if you, Mr Estate Agent, have my details on file from last time I bought a house, and you are still spamming me with ‘I can sell your home’ letters without my permission, you’ll be in for the high jump.
The Act impacts each and every organisation (public or private) that has any of my personal information on record, from the corner realtor to my multi–national personal banking service provider. And while the Act was still, last I looked, a bill, most commentators agree that it is going to hit the streets in the recent future (recent being a relative term where the judiciary is concerned).
The Act has serious implications on two main fronts. Firstly, it will hold organisations accountable if they do not take adequate steps to protect the information they hold. So if your customer database gets hacked, you will be required to prove that you took reasonable steps to ensure it couldn’t happen. Secondly, it requires organisations to know exactly what information they have, if said information could be described as personal or sensitive, and, and here’s the kicker, they must have permission from the body (person or company) to which that information relates, to possess said information.
Is that the sound of information audits I hear? Or perhaps it is electrons sizzling, frantically trying to get permission forms out to each and every body that any body has any information on. This part of the bill is a little contentious (I’m told) and thus may be changed before the final version hits the streets.
In any event, picture if you will the chaos that will erupt once that bill becomes law and every organisation out there suddenly realises what it is legally liable to do, or what it can be held legally liable for not doing. Personally I think that the permission form requirement may be going a bit far, but I can see the government’s point. I guess we’ll just have to wait for the finalised version to see how much sanity has prevailed.