What's Happening?

PoPI is almost here – is your data strategy ready for compliance?



After many years of discussion, the Protection of Personal Information (PoPI) Act is finally coming into effect. The information regulator is pushing for the Act to be finalised on 1 April 2020, giving South African businesses a little over a year to get their data systems and processes in line. Compliance with PoPI will soon be mandatory, but enterprises that are able to meet requirements will actually find themselves at a significant advantage. Improved data management is not only imperative for compliance, it also makes good business sense. 

Transparency is the end goal

According to the Act, personal information is any data that may identify a person or distinguish them from another. This is an incredibly broad spectrum of information, including aspects as diverse as religion, medical history, biometrics, online screen names, or even opinions of, or about, a third party. 

It is also important to remember that PoPI applies to the data of any legal entity – from a natural person, to a company, trust or non-profit institution. As such PoPI extends beyond customer data, and governs the use of other party’s data, such as data related to customers, employees, suppliers and partners. Some of the requirements for PoPI include:

  • Only collecting and keeping information you need for a specific purpose
  • Limiting access to personal data
  • Ensuring the quality of personal information
  • Allowing the subject of the data to see it upon request 

So, what does this mean for businesses?

The reality is that there has always been a need for businesses to safeguard the personal information of their customers. However, as the rampant growth of data has continued unabashed, control has become simultaneously increasingly difficult to achieve and more important than ever. PoPI is, at its most basic level, a way of forcing into law the practices around data management that should be implemented regardless, by controlling how personal information is used within an organisation, from data capture to destruction.  

The trouble is that many businesses have no visibility into their data, why it was collected, what they have, where it is being stored and what is being done with it. Compliance requires businesses to be able to answer these questions, and despite common misperception this is not a legal challenge or an IT security problem. Ultimately it boils down to a data quality problem as well as data management and data governance issues. 

Compliance has benefits beyond avoiding penalties

PoPI does not stipulate that data cannot be used, only that it must be used for legitimate purposes and that consumers consent to this use. In order to comply and still obtain value from their data, businesses need to therefore be more proactive when it comes to managing their data. 

It is now essential to effectively find, classify and make decisions on how data is used, and ensure that these uses, including technologies such as Artificial Intelligence (AI) do not conflict with what the customer agreed to. Data management and its various components including data governance, data quality, master data management and metadata management are the foundation of PoPI compliance

However, data management should be about more than just complying with laws. Using data effectively is the key to maintaining trust with customers, which is the foundation of an enhanced customer experience and therefore a source of significant competitive advantage.