The effect of pertinent factors in preparation for compliance with the South African Protection of Personal Information Act of 2013 (POPI)

A research report submitted n partial fulfillment of the requirements for the degree of Master of Arts in the field of Information Communication Technology Policy and Regulation MA (ICTPR) to the Faculty of Humanities, University of the Witwatersrand, May 2018While South Africa passed the Protection of Private Information (POPI) Act in 2013, it has not been fully enforced. Consequently there is only a basic understanding of the effect of preparation to comply with the Protection of Personal Information (POPI) Act on the organisation, staff and cost anticipated for the compliance effort. This study delves into these aspects to build a picture of various factors that are pertinent in preparation to comply. This study is exploratory due to the Act being relatively new and not fully enforced yet. It is qualitative in nature, specifically employing a constructivist lens, and gathering opinions and feelings of respondents to gain insights on the research question posed. The tool for data collection was formal semi-structured interviews that allowed for all interviewees to be asked the same questions and for flexibility to drill down into responses to gain deeper insight. The analytical framework combines elements from two ISO standards - 19600 & 17799 (now 27002) and the OECD’s Compliance Cost Assessment (CCA) framework. The retrospective effect of the Act was determined to be a risk in preparation for compliance particularly the conditions for lawful processing of information as currently held information would need to comply with the Act as well as new information being collected going forward. Compliance with legal requirements works hand in hand with corporate governance. The King IV codes are an example of corporate governance standards in South Africa and have bearing on data protection and data governance and suggest that it be on the agenda of the Board of an organisation. While the codes of governance are detailed and good practise by many accounts they are not legally binding and as such the POPI Act can be seen to be the legal instrument to ensure a minimum standard of protection across the board. A unique aspect of the POPI Act is pertinent to organisations in that juristic person’s privacy is protected by the Act. Various reasons are given for this, but the analysis determined that the most plausible is that this is due to the constitution. How this is done could be determined by a future study into the matter. Governance and organisational theory are traversed also. Compliance with legislation is central to these. The Act stands to affects the structure of organisations and spur change. The study also proposes a model for compliance.MT 201