Many people are asking why they need to be aware of and, comply with the Protection of Personal Information Bill (POPI)? What are the privacy risks? What is the impact on an organisation? What is the risk of non-compliance?
Well apart from it being a new law, it will also introduce several new risks. And what are these risks? Below is what we consider the top risks related to privacy issues and POPI. Some of them are quite scary. We list the risks for both organisations and individuals.
Privacy Risks for Organisations
Lose customers due to loss of trust
People are more inclined to do business with companies that they can trust. People will be hesitant to do business with an organisation if they are unsure that their personal information is secure, or that the organisation will use that information in an inappropriate way. Since POPI was drafted specifically to deal with these type of issues, if customers find out that you are not compliant, they may start to lose trust in your organisation, and move their business elsewhere, especially if you handle sensitive personal information.
Fail to attract new customers
If your organisation has been identified as one that does not comply with POPI, it will deter new customers from doing business with you, why after all would a person want to do business which disregards laws aimed at protecting customers?
Bad publicity = damage to reputation
If there is a breach of your security and personal information is stolen or leaked, POPI will require you to notify the regulator and affected customers. If your organisation lacks the means of communicating on a one-to-one basis with your customers, or there are a huge amount of customers affected by the breach, the regulator may require you to publish a public notice, such as in a newspaper, informing the public of the breach. Invariably this will be an embarrassment for the organisation, customers will lose faith in the ability of the organisation to protect their personal information, and its reputation will suffer, which could bring serious indirect financial consequences.
Civil action for damages – class actions
If there is a compromise in security, or you breach the provisions of POPI, the organisation may be liable for damages suffered by affected customers. Section 94 of the POPI deals with civil actions for damages. To an extent enforcement of POPI has been decriminalised – civil action is the penalty rather than a fine or imprisonment. Often a breach of security does not involve a single client, but many. This may lead to customers forming a class action suit against the organisation. An example of this can be seen in the Netflix Case, in which a number of clients are suing the DVD rental organisation for inappropriately disclosing personal information to a third party. The suit is asking for $2,500 in damages for each of the more than 2 million customers – that amounts to about $5 billion. I can see a similar situation arising in South African soon – make sure it is not against you.
Regulatory investigations and enforcement notices
POPI allows the Regulator to investigate and send enforcement notices to organisations that have had complaints levied against them. Some of these powers can be highly invasive, or disruptive. As an example, section 80 allows the regulator to seize hardware or systems of the organisation in order to investigate the truth of the complaint. Even if no damages or suits arise from the investigation, the potential losses from the downtime the organisation may experience could be huge.
An organisation could also incur a fine if it commits an offence under the Bill. The Information Commission in the UK can fine organisations up to £500,000.
Liable for the actions of your operator
If you (as the responsible party) outsource the processing of personal information to a third party (an operator), you will be held liable for their actions. The proper structuring of these relationships is vital.
Your main business activity becomes unlawful
The greatest risk, for some organisations, is that their main business activity may become unlawful. This is especially relevant for direct marketers, as section 66 will regulate the sending of unsolicited SMS, email and other forms of electronic communication. Physical means of direct marketing will also have to follow various principles. If the correct procedures and methods are not followed you will be in breach of the statute, and will be open for possible lawsuits from affected customers. It would be best to make sure that your current business activities comply with the Bill, so that you do not end up acting unlawfully. Remember, ignorance of the law is no defence!
Privacy Risks for the Individual
A Fine or Jail Sentence
Interfering with the investigations of the regulator is a criminal offence, and could lead to a fine or up to 10 years imprisonment. It is surprisingly easy to interfere with the investigations of the regulator, so much so, that you may not even realise that you are doing it. This coupled with the serious consequences that will follow makes it absolutely vital that you are fully aware of the responsibilities and duties imposed on you by the bill.
You could get fired
If there is a privacy breach or a successful claim for damages against your organisation and it ends up paying out a lot of money, your organisation will look for someone to blame, and it may be you. You may face disciplinary action, including dismissal. The best way to avoid this will to make sure your organisation is compliant with the bill and that you have complied with your obligations. For example, in the US a nurse was fired for disclosing a patient’s medical information. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation.
You could be held personally liable for damages suffered by data subjects
If a customer claims damages, section 94 allows the damages to be levelled against an individual, especially if your negligence was the cause for the security breach, or unlawful processing of personal information. While an organisation may be able to afford a $9.5 million suit for the breach of privacy, very few individuals would be able to do so.
If you would like to find out more about these risks, and active measures you can take to govern them, why not attend one of our oworkshops?