Page 27 - EngineerIT August 2022 Digital
P. 27
PoPIA
Are you overengineering your
processes to placate personal data?
POPIA is good, but a lack of understanding of POPIA often results in overengineering data processes
which in turn is bad for business, writes Jason Shedden, chief operating officer at Contactable.
he Protection of Personal Information Act (POPIA) is a critically important and
necessary piece of legislation that the consumer has long been waiting for. In
Tterms of protecting people’s personal information, it aligns South Africa with
markets in the rest of the world and, amongst many other things, it has helped limit
the extreme abuse of personal information among more dubious operators, such as
groups profiting from relentless sales and robocalls.
Companies are now are striving to be compliant to avoid POPIA’s substantial fines
and consequences, such as losing customers and brand damage. Ironically however,
in doing so, many companies are experiencing churn because they jumped onto the
compliance bandwagon without a comprehensive understanding of legislation. As a
result, they went to extremes when re-engineering their business processes.
Damned if you do and damned if you don’t? Not entirely - the real issue is that
companies fail to put POPIA into context, given their risk appetite for using personal
information in day-to-day operations.
Let’s compare two extremes as an example, by considering different business Jason Shedden
scenarios for both a bank and a basic service provider. A bank can offer you an account,
which allows you to transact with large sums of money. A basic service provider simply
needs to verify your particulars in order to “know you” and conclude a service contract. understanding of its client to comply
The two types of accounts represent different levels of risk both in terms of with anti-money laundering laws, while
legislation and business consequences, and the scope of personal information they a service provider would not necessarily
need to onboard a new customer is therefore very different. Both will use KYC (Know need to. This is the difference between
Your Customer) processes, yet the basic service provider would not need to process conducting adverse media screens,
the same levels of personal information as the bank does, and each entity should Politically Exposed Person Screening,
follow the principal of ‘minimality’ by only collecting the minimum required personal Enforcement List Screening or Sanction
information about their clients. As an example, a bank would require a comprehensive List Screening - or not. It is also the
difference between processing a
client’s personal biometric data or not
(which is classified as special personal
information).
In the wake of POPIA, what is often
observed however is that companies
often ignore such distinctions and
over-engineer their business processes
to meet compliance standards not
fit for their business, and thus lose
their “fit for purpose” context which
in turn compromises their customer’s
user experience. In the absence of
understanding, businesses throw caution
to the wind and engineer to the extreme
in order to mitigate legal repercussion.
The opposite also holds true in that
many businesses, in the absence of
understanding, under-engineer their
EngineerIT | August 2022 | 25
