Webinar unpacks the POPI Act from an HR perspective

HR professionals have many responsibilities but none as important as protecting employees and their personal information.

A webinar hosted by CHRO SA in partnership with LexisNexis unpacked the duties of HR professionals when it comes to the Protection of Personal Information Act (POPIA) compliance and how this has been impacted by Covid-19.

The purpose of POPIA is to protect people from harm by safeguarding their personal information: to stop their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right.

Ahmore Burger-Smidt, the director and head of data and privacy at Werksmans Attorneys, together with Gcobisa Ntshona, the HR director at LexisNexis, painted a picture to help the audience to visualise and understand the key aspects of the act.

Obligation to protect employee’s data
Ahmore said the reality is that POPIA is going to change the way organisations process, store, secure and manage information.

“HR and talent functions act as custodians of significant volumes of often sensitive or personal data in every organisation and must therefore take centre stage as this new and demanding law comes into full operation.”

HR professionals have many responsibilities but none as important as their duty to protect employees and their companies, said Ahmore.

“Knowledgeable and proactive HR managers are an important line of defence against phishers, identity thieves and hackers when it comes to increased targeting of businesses and their employees.”

She added that laws and internal policies often require HR departments to collect and handle a tremendous amount of employee information and if thieves can access HR records, they have struck gold.

Major costs associated with data breaches and loss of employment
If a company experiences a data breach or employees have their personal information compromised, the business will likely take a huge financial hit, said Ahmore.

“It's not all fines and lawsuits either, many of the costs are not as clear cut as you might imagine. Companies always need to think about reputational damage, the PR nightmare that comes with the data breach and employee disengagement.”

Ahmore shared two steps that HR can take to protect employee data:

1. Provide thorough and continuous training:
A few items to consider might include what information about employees should be stored on the network, who should be allowed to view and edit sensitive employee data, how this data should be stored and encrypted and how and under what circumstances should the data be shared.
2. Develop a comprehensive cybersecurity plan:
A few fundamentals you can consider when developing your strategy could be how will you conduct internal risk assessments, who will compose your in-house team to address security issues, should you hire an outside team to assess network vulnerabilities and what will be the plan if employee or customer data is exposed?

Gcobisa shared some of the steps they have taken at LexisNexis, explaining that the company has a data privacy team at a global level that looks at data privacy-related issues across all departments.

“When we heard that we needed to be compliant with POPIA we carried out a requirement review that looked at what was expected of us to do as a firm, and what impact will the act have in our organisation in all divisions.”

Gcobisa said the second step after the consultation was a privacy assessment which was, “doing a data review exercise around all our data assets and looking for cracks and what came with the exercise was a remediation action plan.”

She said in addition to that they drafted a privacy policy, raised awareness among all employees, did immense training around POPIA and privacy and have amended contracts with operators.

Gcobisa said they are now finalising the appointment of their information officer, “We are ensuring that the person complies to the requirements – that they are senior and will be up to the task of making sure that our data will be handled in a confidential manner and with the integrity that it deserves.”

The 12-month grace period to comply with the comprehensive requirement set out in POPIA ends on 30 June 2021 and the potential consequences of non-compliance can result in significant penalties – up to 10 years imprisonment and/or a fine of R10 million in administrative fees following civil action for damages instituted by the regulator or by the data subject.