The Protection of Personal Information Act (PoPI Act) is making a significant impact on businesses as they continue to scramble to ensure they are compliant with regulations.
Essentially, the purpose of the PoPI Act is to provide parameters for South African businesses for the collection, processing, storing and sharing of any personal information supplied to them, holding them accountable for any loss or abuse of any information they possess.
PoPI mandates the following eight conditions for the lawful handling and processing of information:
1. Accountability – companies receiving information are now accountable for the manner in which the information is handled, processed and disseminated; Client consent is required before any Personal information is shared
2. Processing limitations - Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject;
3. Purpose specification - Personal information may only be processed for specific, explicitly defined and legitimate reasons;
4. Further processing limitations - Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose;
5. Information dissemination and quality – Information needs to be accurate and well maintained, and only accessed or used by those who, by law, require access to the information.
6. Openness - The person whose information is being collected must be aware that the company is collecting such personal information, and why;
7. Security standards - Personal information must be kept secure against the risk of loss, unauthorised access, interference, modification, destruction and disclosure;
8. Data subject participation - People may request information as to where their personal information is held, as well as be involved in the correction and/or deletion of any personal information held about them.
Information dependant insurance companies are finding themselves in a position of needing to consolidate all their information in order to comply with these new conditions – no easy feat. But there are many underlying advantages to this process which insurance companies can benefit from, if they embrace digitalisation and disruptive technology.
Under the PoPI Act, any person who gives out personal details now has a right to be informed about where their information is stored, what it is being used for and even how many copies a business has of any supplied documents. This ensures companies are held accountable for the manner in which they handle personal information, and companies need to have information at their fingertips, while offering their clients full transparency into their information, at any time. This is an arduous task for any paper-based insurance company still using legacy storage systems and data silos.
Data driven insurance companies rely heavily on data warehouses and marts for the storage, access and dissemination of information received. These warehouses and marts need to ensure that the data they store is contained in a lawful manner and that they are mindful of the processing limitations of PoPI. To comply with PoPI Insurance companies need to gear up and start preparing for the additional administration which they will be expected to do. Highlights of the requirements are:
• Written agreements required with service providers to confirm compliance to POPI Act;
• The need to be open to system inspections by clients, as well as being prepared to provide data maps confirming storage and backup locations, and access management and tracking;
• The need to be able to show service provider’s landscape and back-end solutions to verify that they are secured according POPI act requirements;
• To ensure any cross-border data transfers comply accordingly, including mail and mobile synchronisation;
• To secure/encrypt all relevant transmissions;
• The alignment of data retention policies between service providers and their clients;
• That solutions include sufficient protection by design which are also ensured in delivery.
In order to comply with PoPI’s condition, insurance organisations need to have a measure of control over who accesses and uses the personal information they receive from their clients, and for what purposes the information is to be used. Using Cloud technology, insurance companies can safely store information in a centralised location, while enabling automation and, because various departments can easily and quickly access what they need without being able to tamper with the information unless expressly permitted, processes also become faster and the whole customer experience is enhanced.
Automation of data processing also carries additional benefits such speeding up application and approval processes. Potential clients can complete an online application and receive approvals within minutes as various data models allow for instant connection to statutory bodies for the verification of the applicant’s address, financial status, legal status, credit record and more. This “easy access” may sound alarming and counterproductive to the PoPI Act, but the PoPI Act’s security mandates also mean that, while this information can be readily accessible with the right tools, it must also be handled responsibly and safely.
Cyber security needs to be a priority of all insurance companies who are looking to automate and centralise their data, particularly when they make use of Cloud technology. It is imperative that companies invest heavily in this from the outset and do not add it as an afterthought. Regulatory bodies may impose fines of up to Ten Million Rand for violation of the PoPI Act, which can be followed up by more fines and even imprisonment, depending on the severity of the violation, so it is in a company’s best interests to be proactive with regards to security rather than reactive.
There is increased pressure on organisations to guard against cyber-attacks. Identity is the common thread in many of these breaches. Protection is achieved by governing and managing various rights, facilitating and controlling access, and monitoring user activity.
While it is certain that hackers are continually looking for ways to get inside organisations, it’s no secret that most security breaches in companies are caused by insider activity – misuse, accidental, disgruntled employees or people being paid by criminal elements. These miscreants recognise that the easiest way of accessing information is to get hold of legitimate passwords. The methods they use to do this range from straightforward spying to social engineering, and often target privileged users.
Quite often, the ultimate target for hackers is not the company data itself, but for example customer records which can contain personal information, credit card details or healthcare records. Insurers, who handle incredibly sensitive information, should investigate implementing security measures across all layers of their network and data management systems, and not just look at firewalls. Effective cyber security should include ways multiple ways across all layers to manage identity to minimise breaches.
There are a number of emerging technologies that can help insurers to remain compliant with the PoPI Act, and at the same time protect themselves against cyber threats, while also providing a multitude of other benefits. Disruptive technologies such information sharing and storing applications, the Cloud (although already a fairly entrenched technology) and data mining tools such as social media analytics, all make for aiding compliance while speeding up processing and improving the customer experience through automation. It is vital, however, that these technologies be implemented properly and with security at the top of mind to avoid them becoming the reason for non-compliance.
The POPI Act is going to revolutionise how organisations manage personal information and data. Although complying with the legislation is most certainly going to affect a business’s bottom line, these costs will be significantly less compared to the fines potentially placed on transgressors.
By relying on service providers who can lend their expertise and knowledge to the recommendation and implementation of any new technology, insurance companies can evade the potentially disastrous and expensive pitfalls of poor installation, unsuitable technology, inferior cyber security systems and a data management system that doesn’t comply with the PoPI Act.
Jaqueline Van Eeden is the Financial Service Business Development Executive and Gavin Holme is the Country Head at Wipro Limited.