The commencement of the Protection of Personal Information (POPI) Act will impact a vast number of businesses, and the construction industry, as one of the major contributors and employment providers to the South African economy, is no exception, says Databuild CEO Morag Evans.

Morag Evans, CEO, Databuild

Nicol Myburgh, POPI Act adviser to Databuild, echoes these sentiments. “Businesses have until 30 June 2021 to get their house in order. Those that fail to comply with the legislation will be held accountable in the form of hefty fines or prison sentences.

“Additionally, the resultant reputational damage that can follow an information breach is incalculable and could lead to costly legal action and the ultimate demise of the business.”

Protecting information privacy

According to the Act, everyone has a right to privacy and protection from damage resulting from the misuse and abuse of personal information, such as financial fraud and identity theft. To this end, the legislation aims to prevent the unlawful processing of personal information of South African citizens.

“This means businesses are not only limited in the way they collect, process, store and share personal information, but are also legally obligated to protect its privacy,” Myburgh explains.

Any personal information regarding employees, suppliers or clients falls under the auspices of the Act. This includes human resources and payroll data, CVs, employment applications, CCTV records, performance reviews and some internal email records.

No one-size-fits-all approach

Nicol Myburgh, POPI Act adviser to Databuild

As custodians of this information, business owners must ensure they put adequate measures in place to protect it but, Myburgh points out, there is no one-size-fits-all approach when it comes to achieving compliance with POPI.

“Business owners will be required to conduct an in-depth analysis of all the personal information within their organisation, including where it is obtained and what is done with it.

“Appropriate data privacy policies, together with adequate data security practices must be developed and implemented, and these must be regularly reviewed and updated to ensure they remain aligned to POPI’s requirements.

“A training and awareness programme within the organisation is also a good idea to ensure that all employees understand the relevance of POPI and why it is important.”

Severe penalties for non-compliance

Myburgh advises companies that have not started becoming compliant to do so as soon as possible. “Those that don’t could face severe penalties, including a R10m fine or up to ten years in prison.”

“POPI aims to bring South Africa’s privacy laws in line with international standards and plays an integral role in preventing the abuse and exploitation of personal information,” says Evans. “The legislation should not be viewed as burdensome, but rather an opportunity to simplify, review and streamline businesses processes.

“Companies that embrace this legislation early could realise numerous benefits over the long term, including cost savings and digitalisation, which is long overdue in the construction industry.”