With the Protection of Personal Information Bill (POPI) officially signed into law by President Jacob Zuma and published in the Government Gazette, South African businesses must now ensure that steps are taken to implement effective information destruction practices, as they could find themselves in hot water if they are not compliant.
This is according to Gianmarco Lorenzi, CEO of Cleardata – a group company of JSE listed Metrofile – who says the POPI stipulates that the destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form. “Failure to comply with this legislation means a breach of an organisation’s legal obligations.”
He says that POPI applies to any business that handles and stores personal information of individuals or of juristic persons (an individual or group that is allowed by law to take legal action, as plaintiff or defendent). “This includes information relating to employees, customers, suppliers and other third parties.”
While the commencement date has not yet been declared, businesses will only have a 12 month grace period within which to implement the necessary steps to achieve POPI compliance, says Lorenzi. “Businesses should start applying the necessary processes and procedures now to ensure compliance with effective destruction of personal information, rather than leave it to the last minute.”
He says that shredding is still the most effective way for businesses to safeguard against document reconstitution. “In addition to the legal ramifications of POPI, potential consequences of not destroying documents properly include, among others, identity theft, leaking of trade secrets to competitors and employees and financial losses.”
Lorenzi highlights that non-compliance of rural branches of companies are of particular concern, as the availability of compliant destruction services in these areas is often either lacking or non-existent. “Often companies will implement a records destruction service for their buildings located close to the centre of town or business hubs, but forget about rural branches. Companies need to ensure proper document destruction forms a part of a comprehensive risk management strategy and incorporate all branches to ensure effective risk mitigation and compliance with current and impending data protection legislation.”
He says unfortunately, most companies will spend thousands of Rand protecting their electronic data through the use of firewalls and high-tech information security, but will let their paper leave the building in the hands of a stranger. “Apart from the legal consequences, it simply makes good business sense to protect your innovative ideas, business plans and budgets from being available to the prying eyes of competitors,” says Lorenzi.
He says data protection risks are faced by all industries, however, financial institutions, medical and insurance companies are most at risk, due the vast amount of personal client information they house.
However, Lorenzi says the majority of large South African companies are starting to realise the importance of responsible disposal of documentation. “This is as a result of pressure from international parent companies, increased awareness of the risks involved in failing to shred documentation properly and the recent green movement, focusing not only on reducing carbon emissions, but also on the recycling of paper.”
Lorenzi recommends businesses should ensure that they use only reputable document shredding companies that have been certified by the National Association for Information Destruction (www.naidonline.org).