Ever since familiarising ourselves with the Protection of Personal Information Act (PoPIA) a few years ago, discussing a compliance strategy with clients has frequently been a dead end, because the law is not being taken seriously.
The common sentiment in South Africa is some variation of “why should I care?”
If lawmakers are dragging their feet on implementing the legislation, let alone enforcing it, what’s the point in pouring resources into compliance efforts?
The first answer to this is quite simple – because it’s the law. In Europe, the GDPR, which is the gold standard for data privacy legislation, wasn’t taken seriously either… until the first fines were handed out. In South Africa, we are a few years behind Europe when it comes to data protection, but South Africans are not happy with incessant spamming, for starters. Eventually, the public pressure will force the government’s hands.
Ask yourself if you’d like to be the first company to be made an example of. It is the CEO who is held liable for contravening regulations and who faces a lengthy prison sentence, not to mention a heavy fine.
And even if you aren’t the business to be brought to book, the moment that day inevitably arrives; demand for knowledgeable compliance offers will skyrocket. As things typically work in the market, the rate which compliance offices charge for their services will rise with the demand. Getting started today will be saving you money in the long run.
The second reason is far more pressing. Customers don’t need to follow lengthy procedures to take their business elsewhere. The very real consequences of a data breach, which may be as devastating as identity theft, are starting to dawn on the public. As a business, you exist to serve your customers and their wellbeing should be top priority. Failing to comply with PoPIA is an indication that you have no regard for their interests. A good reputation takes years, even decades, to build, but can be tarnished in an instant.
Look at the example of Liberty Life’s hack last year. The firm’s data breach exposed the personal information of millions and wiped R1.68 billion off Liberty’s market value overnight, according to the 20 June report from Financial Mail last year. Liberty is struggling to recover, as reported by Moneyweb on 3 October, have been forced into a massive retrenchment drive. The Information Regulator chairperson, Pansy Tlakula, also announced shortly after the hack that she would be taking Liberty to task – an indication that regulators are starting to take the matter seriously
Abroad, the most pertinent example, albeit somewhat different in its nature, is that of dating platform, Ashley Madison’s data breach in 2015. The dating service, which enables extramarital affairs, deals with highly confidential information including real names, home addresses, search history and credit card transaction records. Most notably, however, was the customers’ fear of being publically shamed. Extortionists targeted users and scammed them out of large sums of money, families were torn apart and several suicides were linked to the data breach. The owners of Ashley Madison eventually faced a $567 million class-action lawsuit, which they settled in 2017 for $11.2 million.
So it goes to show that there are some serious consequences for failing to comply with data privacy laws, both at the hands of the government and your customers. A data breach today will have severe repercussions for your business’ reputation and those repercussions are only bound to exacerbate in the near future as people start to take privacy more seriously in an ever-evolving digital atmosphere. The cost of compliance efforts today will pale in comparison to the future costs of failing to comply.