“These businesses now need to have extensive compliance programmes in place to ensure that they deal with personal information on behalf of their clients such as bill issuers in the correct manner,” adds Legal Officer at Pay@, Marlouise Verster.
“Bill issuers are viewed as the party primarily responsible for user data in the eyes of the law.
Should there be a breach, the responsible party is obligated to report the breach to the Information Regulator as well as to the data subject whose information was exposed or compromised.
They will also need to take mitigating steps to address reputational damage and business interruptions, not to mention stakeholder and customer confidence.
Failure to comply with certain provisions of POPIA may result in the Information Regulator imposing an administrative penalty of up to R10 million or jail time of up to 10 years, or both.”
Verster notes that the measures and level of security that payment processors put in place will often depend on the type of information being processed and the sensitivity thereof, and adds that these will also need to be revisited regularly to ensure that they remain appropriate.
Additionally, she says that while there currently aren’t specific Codes of Conduct or Guidance Notes/Notices for the payment industry, there might be in the future, given the sheer amount of guidelines posted by the Regulator prior to the implementation of the Act.
Munsamy shares that, in the past, companies were more focused on technology rather than on how they govern technology.
“Because information security wasn’t viewed holistically, there were gaps which led to breaches and information security incidents.
POPIA mandates that best industry practices be applied to the governance of the business space. Implementing all of the controls required for information security mitigates the risk of incidents, which in turn lowers the likelihood of breaches.”
“Although the implementation of all these new compliance programmes and policies will take a while, in the long-term it will be a good thing for the industry because it is motivating best practice and aligns South Africa’s data protection laws with those of other countries and international standards.
This could potentially open up business opportunities for South African businesses in the payment space as they will be able to demonstrate compliance,” concludes Verster.
This article was originally published on TechBuild Africa.
Related reading: Think data protection first, POPIA compliance will come >>