Although the Protection of Personal Information Act (PoPI) isn’t effective yet, company executives will have to make it a priority for 2017. With the imminent appointment of the Information Regulator, companies urgently need to upgrade their information technology security systems ahead of the implementation of the Act.
The Act regulates how companies handle, keep and secure personal information and was already signed into law three years ago.
Xperien chief executive officer Wale Arewa says PoPI gives everyone an additional year from the commencement date to comply with its requirements. “Even though they still have more than a year to make arrangements to comply after the commencement date, I strongly recommend they rather make it a priority.”
“There are serious penalties, besides the possibility of prison terms and fines of up to R10-million, PoPI also allows individuals to institute civil claims. This means there is the possibility of further financial loss on top of any fine that may be imposed,” he adds.
Mr Arewa warns that the Act will also require IT Asset Disposal (ITAD) accreditation. “Business executives responsible for IT asset management also need to understand the principles of ITAD and they need to consider regulatory compliance and the protection of company information. They will soon face massive fines, civil claims and reputational damage if they fail to comply.”
“They should be extremely cautious when appointing asset disposal service providers. It is important to check for accreditations like ISO9001, ISO14001 or even membership to a professional body like International Association of IT Asset Managers (IAITAM),” he says.
IT asset managers should seek to understand how ITAD services providers add value to the process. An ITAD vendor that takes a proactive role can start as early as the planning process for asset acquisition, and continue through the product lifecycle and into asset disposition.
As an advisor, the ITAD vendor can help make refurbishing decisions that preserve maximum resale value. By remarketing client’s IT assets through retail channels, the ITAD vendor specialising in asset value recovery helps clients make more money from IT asset disposition while fully meeting environmental and data security standards.
“Reputable asset disposal service providers should develop effective solutions to address everyday challenges beginning with the risks associated with data loss. Handover of retired equipment should be immediate to avoid inevitable loss that occurs in IT storerooms,” he explains.
Furthermore, secure reverse logistics with a chain of custody should be provided for each item containing a hard drive and daily trend reporting must be included so that undesirable trends can be identified before they become critical.
Asset disposal service providers should offer a secure chain of custody for the assets, have a call centre to schedule hardware collection, provide packaging and secure transportation. It should also provide onsite data elimination, mobile hard drive destruction and issue data destruction and eWaste disposal compliance certificates.
“The PoPI Act will have serious consequences in the near future. It won’t be long before we start reading about companies that have been fined for non-compliance and this in turn will encourage other companies to adopt the principle of ITAD, which will ultimately protect companies from reputational loss,” he concludes.