Q & A with POPIA Workshop presenter Mark Heyink

The next few weeks mark the beginning of Compuscan Academy’s three workshops on The Reality of POPIA, GDPR and Cybersecurity Bill.


These workshops are presented by Compuscan Academy in collaboration with leading expert on privacy issues and personal information protection, Mark Heyink. Not only is he one of South Africa’s top information attorneys and information security consultants, Mark also acted as an advisor to the Joint Parliamentary Committee for Justice, during the finalising of the Protection of Personal Information Act (POPIA).

Due to Mark’s expertise on best practice regarding electronic information, information security, privacy, and the existing emerging laws which govern information, we interviewed him about his thoughts surrounding these topics prior to the launch of Compuscan Academy’s workshops.

Q: What led to the development of POPIA?

A: Privacy is a fundamental human right. The advent of the modern computer and communications technologies has impacted adversely on the privacy of individuals globally, and it has been necessary to develop legal frameworks and legislation that protects these rights. In South Africa, privacy is a constitutional right. POPIA is intended, in harmony with data protection laws internationally, to provide the legislative framework that will allow individuals, whose right to privacy has been breached, redress against persons responsible for the breach.

The importance of POPIA cannot be underestimated. Countries with established data protection legislation will, as a principle, not share personal information with countries that do not have adequate legal frameworks protecting the processing of personal information. This has been reinforced by the General Data Protection Regulation, which governs all of the European countries and is regarded as the gold standard for privacy legislation.

Q: POPIA is expected to come fully into effect in 2018, and businesses are allowed one year to comply with its requirements. Do you think one year enough time to establish compliance practices and processes?

A: For some businesses, particularly those who have already started POPIA projects, compliance may be achieved. From my experience and interaction with many businesses, I do believe that they will be in a position to comply, particularly with the 8 Conditions governing the lawful processing of personal information, within the grace period.

All businesses are dependent on the processing of information in varying degrees. In some cases, the processing of information is the business that is being conducted. Many businesses have underestimated what is necessary in addressing the security safeguards required. To do so, they will need to address the technology used by the business, the processes governing the use of technology and the education of people within the business to follow the processes, as well as use this technology appropriately.

Q: What advice would you give to companies regarding the posible disruptions POPIA may cause their businessess?

A: The management and security of information processed by companies is, regardless of the requirements of POPIA, a corporate obligation. Failure to do so may render the company liable to compensate persons whose personal information is compromised, administrative fines that may be imposed by the Information Regulator, or criminal prosecution.

In terms of the Companies Act, directors who do not fulfil their duties properly can also be held personally liable. Leaving aside the potential liability, the proper processing, management and security of information is simply good business practice. Companies that fail to do so, regardless of their liability relating to POPIA, are simply not doing good business, and are probably not optimising the benefits of the technologies that they use may hold.

It is possible that the work necessary to ensure that the Conditions of lawful processing of personal information are met can disrupt or change the way that some businesses may need to operate. However, I would strongly suggest that businesses who do address POPIA properly, will see many other benefits to their business.

Q: How can businesses prove that they are POPIA compliant?

A: There are many different elements to compliance with POPIA. It is also not a static position. Rather, compliance is a continuous business process or set of processes that must be followed to ensure that the threats to personal information are combatted on a continuous basis.

There are products, technological and otherwise, that may assist in the establishment and maintenance of compliance. Those companies that state that use of a particular product will render the business compliant are simply misleading the people to whom the statements are addressed, and these statements evidence their misunderstanding of the requirements of POPIA.

Q: What are the potential penalties for not complying?

A: The potential penalties may be compensation to a data subject, if the data subject has suffered damages. The Information Regulator can levy administrative fines up to a maximum of R10 million. A court may levy fines which are not limited, and order imprisonment not exceeding a maximum of 10 years.

What has become recognised globally is that the true penalty to businesses is the reputational damage that the business may suffer, should it not properly protect personal information.

Q: Due to the limits on direct marketing, POPIA is perceived by some as a restriction to marketing strategies.

  • What are your thoughts regarding this negative attitude?

A: The fact is that in the absence of privacy legislation, many unscrupulous businesses use marketing strategies which abuse the personal information of individuals. There must be a recognition that personal information is owned by the individual to whom it pertains, and that person is entitled to control how the information may be used. The restrictions in POPIA are aimed at ensuring that the individual is able to control how his/her personal information may be used, relating to direct marketing and the profiling that often accompanies it.

This is not something that is peculiar to South Africa. It is a worldwide phenomenon which is already very heavily regulated in all democratic countries. The failure of direct marketing companies to regulate themselves, or through their associations in South Africa, has resulted in abuse, misdirection as to the interpretation of legitimate interests of direct marketers, and disregard for the fundamental human right of privacy. POPIA does nothing other than redress abuses in this regard. Direct marketing in countries that have had privacy legislation for nearly 30 years continues to thrive, but these companies do so without impinging on individual rights.

  • Are there any positive aspects POPIA offers marketing strategies?

A: The positive aspect of POPIA is that marketing strategies will be developed with greater thought to the rights of the individuals. These strategies will not be developed, as many have been over past years where computer and communications technologies have been exploited, with the sole aim being the maximisation of profit. As we have seen in recent months, the failures of corporate governance (which includes compliance with the law) based purely on profit that disregard the rights of others and the law, are simply not acceptable or sustainable.

Q: The two-year transition period of Europe’s General Data Protection Regulation (GDPR) is coming to an end next year too, when it becomes enforceable on 25 May 2018. How are POPIA and the GDPR similar?

A: In terms of its principles, POPIA has held up remarkably well to the requirements that are set out in the GDPR. The Conditions of lawful processing of personal information, based as they are on the European Union standards and the Organisation for Economic Co-operation and Development (OECD) principles, remain materially identical. Nonetheless, the GDPR is, not surprisingly, more stringent, and incorporates novel legal concepts like the “right to be forgotten”.

There are many South African businesses that will, in some of their processing, be governed by the GDPR. It is wise for companies preparing for POPIA to look carefully at the GDPR, to ensure that some of those more stringent requirements can be met. It is likely that future amendments to POPIA, if we are to remain in harmony with global development, will follow the GDPR.

Q: The POPIA draft regulations have been published for comment, and those in the industry have been invited to comment until 7 November 2017. What do you expect the prevailing line of comments and queries to be?

A: The draft Regulations are, as were anticipated, largely administrative in nature. They do not in any significant way impact on the substantial law set out in POPIA. It is likely that comment will be directed towards administrative requirements that will not easily be met, and these may vary from industry to industry.

I would recommend that industry bodies seriously consider applying Codes of Conduct and, where necessary, establishing where it may be difficult for particular industries to meet administrative requirements, and to work with the Regulator in addressing these issues. It is the statutory duty of the Regulator to consult with industry bodies in this regard.

Q: At the Compuscan Academy workshops, you will also be discussing the Cybercrimes and Cybersecurity Bill that is currently being considered by the Parliamentary Portfolio Committee for Justice.

  • What is this Bill about?

A: This Bill is long overdue, and addresses in the first instance the establishment of crimes, and in some cases existing law that makes it difficult to prosecute cybercrimes. While these provisions are to be welcomed, there is much work to be done to ensure that the Bill properly addresses the issues that need to be considered in dealing with cybercrimes, particularly where they are perpetrated using modern and evolving technologies. My view is that it is a failing of the consultation process that technologists (in all their various disciplines) have not been consulted or provided input in this regard.

The second part of the Bill relates to cybersecurity and is far more problematical. It addresses the establishment of government and non-government institutions to assist in the combat of cybercrime and cyber-attacks on citizens of the country. The most obvious problem is that in certain instances, it gives wide powers to law enforcement and the State Security Agency, without the balance between security and privacy that we have seen in most democracies. This can lead to overreaching by an overzealous government.

  • How does it differ from POPIA?

A: The Bill is very different from POPIA, in what it seeks to achieve and its scope. The Bill deals with those instances where information security has failed, allowing crimes to be committed. POPIA, on the other hand, is the first legislative instrument in South Africa that directly requires the implementation of security safeguards to protect information. While this may be restricted to personal information, the generally accepted information security standards that POPIA refers to, are the information security standards critical to ensuring cybersecurity, regardless of the nature of the information that may be protected.

It should be borne in mind that the development of information security is as a result of early data protection legislation that required the “reasonable” protection of information. The information security standards gave detail and granularity to what diligent businesses need to do to achieve “reasonable” information security. It is also recognised that countries with mature data protection regimes have a better cybersecurity posture.

Q: What are your hopes of the impact POPIA education can/will have?

A: In addressing information security, which is central to POPIA, there are three specific elements:

  • Technology: without the right technology it will prove difficult to protect information;
  • Process: without the use of the technologies being governed by clearly defined process, it will be difficult to achieve lawful processing of personal information;
  • People: without educating people in why information (and personal information in particular) should generally be protected, the processes governing how information can be protected and efforts to protect information will fail.

I am strongly of the view that there is a huge need for education. For education to be effective it needs to be audience-centric. Boards need to be educated on their governance responsibilities for information and communications technologies, and the information that they process belonging to the business or belonging to third parties, as is the case with personal information. There is a dire need for senior executive management to be educated on their role in determining, establishing and maintaining appropriate protections.

In this regard, it should be noted that every company must appoint an Information Office. Most companies do not have a person qualified to fill this position. In larger companies, middle management has a very important role in monitoring, and ensuring that technology is used properly and that processes are followed. Even at the most junior levels of the organisation, employees are very often processing information, some of which may be personal. Unless they understand the basic principles and risks, their failures can lead to more significant failures in the business.

Critically, we are in the throes of an information revolution. Information and communications technologies have irretrievably changed, and will continue to change the way that we do business. Businesses who invest in the development of appropriate life skills relating to information and communications technologies will reap rich rewards. Investment in education is undoubtedly where businesses are most likely to see the best and most immediate return on their investment.

The Reality of POPIA, GDPR and Cybersecurity Bill workshops will be held in Durbanville, Cape Town on 2 November 2017, then in Durban on 9 November 2017, and finally in Midrand, Johannesburg on 14 November 2017. Click here for more information and to fill in the registration form.