It is going to be a tough ask to implement the Protection of Personal Information Bill, which is making its ways through the legislative process before being promulgated, says KPMG.
The Bill was submitted to the justice minister in February last year and aims to protect personal information processed by public and private bodies. It is meant to be enacted in March this year, but this deadline may be pushed out, ITWeb reports.
Frank Rizzo, managing partner of IT advisory at KPMG, says companies could be asked by a customer to, for example, provide the client with all the information they have on that customer.
However, when dealing with large institutions such as banks, this means there are multiple databases, he says. “People don’t know what information they’ve got… all those bits of information in a million databases will have to be pulled together.”
In addition, companies can only keep information for as long as they can prove they need to have it, and it needs to be stored in such a way that it is depersonalised. “The way a company interacts with its customers will need to change,” says Rizzo.
Ryan Ruthven, associate director of IT advisory at KPMG, says there are exemptions in the Bill, such as when people allow their information to be shared, and when it is needed for legal reasons.
However, implementation will be a mammoth task, and is not just limited to IT, says Rizzo. He says IT aspects such as databases and information security go hand-in-hand with change management and legal processes.
So far, the exact cost of implementing the Act is not known. Rizzo says a large financial institution, for example, expects to fork out R200 million on its new systems and processes. The Act will be wider than just financial institutions, and touches every company that stores information on customers, a cost that could run into billions. The Department of Justice and Constitutional Development is expected to spend over R35 million to pilot systems for the Protection of Personal Information Bill.
Ruthven points out, however, that the cost of not implementing the Act when it comes into law will be even greater. He says that if a company fails to implement the requirements, and information they hold is compromised, they have to inform the people affected, and this could get into the media, causing brand damage.
Companies will have a year in which to implement and become compliant with the Bill once it is law. However, based on international experience in implementing these types of legislative changes, the deadline could be pushed out, says Ruthven.