One of the key talking points during our webinar last week was the Protection of Personal Information Act (click here for a copy of the workshop slides). In theory, POPI should be very disruptive. But how much practical impact will it actually have? That depends on two overarching factors.
The first (and most obvious) of these is the extent to which POPI is enforced. The Consumer Protection Act, for example, has not had the dramatic impact that was hyped prior to its commencement. Few consumers go to the trouble of lodging complaints with the National Consumer Commission or National Consumer Tribunal, and those same regulatory bodies are not doing a particularly good job of policing compliance.
I don’t expect the general public to police POPI more zealously than they have the CPA. So much will hinge on the competence of the National Information Regulator (and any other responsible institutions).
The second key factor is the sector that you operate in and the market that you serve. While many individuals may not bother exercising and protecting their rights, organisations are unlikely to be so lapse (especially when the risk of a supplier breach threatens their own compliance). This is particularly relevant for SMEs that are sub-contracted by much bigger organisations for projects where sharing personal information (or access to it) is unavoidable (e.g. installing and maintaining IT networks).
Preferential procurement could amplify this since the new state procurement policy mandates that at least 30% of tenders over R30 million must be outsourced to small suppliers. SMEs competing for those opportunities could establish an early advantage over their peers by demonstrating their ability to comply with POPI both internally as well as across their supply chain.