Protection of Personal Information (POPI)

Recently there has been a fair amount of talk around the Protection of Personal Information Bill (not to be confused with the Protection of Information Bill!) or POPI for short.

While POPI is not law as yet, and may well still change before it becomes an Act, it is strongly recommended that any organisation that collects and processes information about its customers (or prospective customers) should at least make itself familiar with the general parameters as currently tabled.

And what organisation does not have lists or databases containing even the basics of the people that it has dealt with? This simple fact makes it clear that virtually every South African organisation, public or private, will have to comply with the new law.

While protection of personal information can be a complex and emotive issue, there are some basic concepts that are critical to be grasped: for example, the definitions of fundamental terms such as “personal information” itself, and the fact that the Bill is really about how such information may or may not be used (processed) for purposes other than for the reason that it was originally collected.

The Bill comprises several principles, for example, those dealing with purpose and processing limitations, as well as information security, accountability and information quality. Contrary to common misconception, it is therefore clear that POPI is not only about the security of personal information: while security is a huge area in itself, POPI is also very much to do with how personal information is used, by whom and for what purposes, the associated consent (or not) of those to whom the information applies, and of course about how accurate it is. It is also not just about your customers, it is also about your employees, suppliers, partners, intermediaries or anyone else that you maintain information about in order to conduct business. This, therefore, extends POPI to protect information about not only natural persons, but also to that of juristic persons.

It is impossible for most organisations to do business properly and effectively and to provide good service or attractive products to its customer base, without maintaining even the most basic information about them. From a data management perspective, therefore, probably one of the biggest challenges is the fact that many large organisations have personal information spread across multiple departments, divisions, computer applications and databases, and in many different formats.

To demonstrate compliance to POPI in such a scenario will take significant and focused efforts to drastically improve current data management practices to a level that supports the rigours required by the law. At its most fundamental level, this means implementing a data governance programme, and whether you call it that or not, it will be impossible to comply to POPI without having at least the basic principles of governance around personal information in place.

With data governance ensuring that all the necessary policies, roles (think data stewards), responsibilities, accountabilities and processes are formally in place (not just documented!), attention must also turn to identifying what technology is going to be required to support ongoing compliance to POPI. From an architectural perspective, one of the most effective ways of doing so will be the implementation of master data management (MDM) for information that falls within the realm of POPI. It is clear that being able to control and manage such critical data will require new techniques beyond those that have evolved out of data warehousing and business intelligence. This means organisations will have to turn to MDM architectures and technologies, in itself a massive undertaking for many large corporates.

Finally, POPI dictates that it is imperative to ensure the accuracy of personal information: nobody appreciates companies getting even simple details about themselves wrong, let alone incorrectly been lumped into a particular “target market”. This means that to comply with POPI, organisations will have to put time and effort into data quality management programmes, technologies and processes: data quality is in turn is a fundamental dependency for successful MDM, and an objective barometer of the efficacy of data governance. Applied together, data governance, master data management and data quality management, provide a powerful and coherent means of ensuring that your organisation can avoid substantial fines by demonstrating sustained compliance to POPI.

Until now such data management and governance disciplines have often been ignored or neglected by most organisations. The coming of the POPI Act is about to change all of that.


submit to reddit