Regulator urges engagement to underpin POPIA

Regulator urges engagement to underpin POPIA

 The South African Information Regulator (SAIR), with limited resources to proactively police compliance with the new Protection of Personal Information Act (POPIA), will rely heavily on data subjects, media and organisations to report breaches.

This is according to Sizwe Snail ka Mtuze, managing director of Snail Attorneys @ Law and commissioner at SAIR, who was speaking in an ITWeb Security Summit GRC, Privacy and Regulation track chaired by Carolynn Chalmers, CEO of Prof Mervyn King’s Good Governance Academy, director of Candor Governance, and former non-executive director and current active member of the Institute of Information Technology Professionals South Africa (IITPSA). IITPSA, which is an official endorser of the ITWeb Security Summit 2020, is founded on a Code of Conduct and Practice committed to ethical and professional behaviour.

Speakers in the track on GRC, privacy and regulation highlighted the links between governance, regulation and ethics, with the new POPIA a key focus.

With POPIA having come into effect on 1 July, organisations now have a grace period of one year – until 1 July 2021, to comply.

However, Snail noted that both public and private organisations should not wait until the end of the grace period to get their houses in order. “Since our inception in 2017, we have taken an attitude of proactive compliance – trying to get organisations to comply, self-report and protect data subjects,” he said. “The hands of the Regulator are currently tied in terms of enforcement, but in the event of non-compliance, we do engage, maintain a breach register and encourage organisations to tell us what happened and what measures they are taking to protect data.”

“We urge everyone to comply with POPIA – now,” he said.

Snail conceded that the Regulator was under-resourced in terms of enforcement capability: “Money is a problem everywhere. From the beginning, the office of the Regulator was given a minute budget in comparison with data protection offices elsewhere in the world. Data protection is an expensive exercise – and it needs a fully resourced information Regulator to give effect to what POPIA envisages. We are in discussions with the Treasury about the budget every year.”

He said that while the Regulator could go into an organisation and assess whether their processes were in line with POPIA, it would rely heavily on data subjects and the media to report non-compliance. “There will be many avenues to the Regulator,” he said.

Beyond locking down digital systems

Snail noted that POPIA did not only apply to data in electronic format: “It’s not just about the digital environment, people suffer data breaches in the physical environment too.” He said POPIA compliance should encompass technologies, processes and people.

Susi du Preez, InfoSec engineer at Impact IT & Risk Services, echoed this sentiment: “Don’t just rely on technical systems to protect you – your people are the weakest link,” she said. She described the POPIA as among the best data protection regulations in the world, and urged organisations to comply with it now, and not wait until the grace period came to an end.

Privacy and ethics

“The ethical use of personal data is becoming far more of a talking point today, with data ethics becoming a top business priority,” said Chalmers.

Yvette du Toit, associate director at PwC, said privacy and ethics was particularly topical amid the Covid-19 pandemic as health data was gathered, processed and shared.

Du Toit said the law’s purpose was to try and create an orderly society, whereas the purpose of ethics encompassed ‘what ought to be’, and that POPIA played a role in encouraging the ethical processing of data.

She said privacy is essentially based on principles of transparency, choice, being fair and legal,  accountability, individual rights, purpose and security; while ethics focused on protection and morals. “Ethics moves the conversation beyond ‘are we compliant?’ towards ‘are we doing the right thing?’” she said.

She said some of the current ethical challenges to privacy include AI and medical science. As we move towards electronic health records to facilitate easier sharing of information, right through to technologies for screening, diagnosis and treatment, the ethics around management of this medical data has yet to be fully defined, she said. “But what happens if something goes wrong?”

Focusing on governance

Emmerentia du Plooy, head of Information Risk Governance at Standard Bank, noted that information was being put at risk by organisations not knowing what information their organisation had, and how it was used. “Are you sure it only exists in a specific department on a specific system, and is an information asset register in place?” she asked. Du Plooy said focusing only on threat actors did not fully address risk. She said organisations had to focus on meaningful controls – with a shift to where the information is – and on data-driven risk management. Many organisations take too long to determine the value of their information, she said. They need to shift their risk management approach to take a proactive view on impact, based on information type. “Some have succeeded in moving from a more quantitative risk approach to a qualitative approach.”

Calling on organisations to ‘make governance sexy again’, she said: “Governance is not just the foundation of a building – it is also the cement that ensures we have a strong structure in place.” She said governance could not be circumvented in the name of ‘business must go on’. “Governance must become dynamic and enable our risk aware culture. Governance empowers you to move forward.”

Carolynn Chalmers agreed: “People don’t understand that the G and C in GRC aren’t the same – governance really is the oil in the wheels. It’s about doing your best,” she noted.

The Institute of Information Technology Professionals South Africa (IITPSA) is an official endorser of the ITWeb Security Summit 2020. IITPSA is a South African professional body for Information Technology professionals and aims to further the study, science and application of Information and Communications Technologies (ICTs); maintain and promote Codes of Conduct and Ethics for its members; define and promote standards of ICT knowledge; promote the formulation of effective policies on ICT and related matters; and extend the knowledge and understanding and usage of ICTs in the community. This is achieved by engagement with both Industry and Government on ICT policy, regulations and professional activities, combined with a commitment to the wider community to ensure the beneficial use of ICT.

 For further information visit