Getting POPIA compliant for travel businesses

If you’re feeling POPIA fatigue, you’re in good company. Signed into law in 2013 but only enacted 30 June 2021, with a year’s grace period, the POPI Act has had several years to instil fear and fatigue in the hearts and minds of the travel industry.

Yes, everyone must comply with POPIA so it’s important to get your data protection and privacy house in order, but it’s not nearly as terrifying a task as many make it out to be.

ASATA Counsel and Novation Consulting Founding Director Elizabeth de Stadler takes us on a ‘What is POPIA’ journey in 600 seconds and answers your questions on how to become POPIA compliant and protect your business and data subjects with relative ease.

Although the government has set a ‘doomsday timer’ until POPIA D-Day online, being POPIA compliant is much more of a long-term objective, says Elizabeth.

POPIA compliance isn’t easy, and it requires a lot of work to be fully compliant. In fact, come 1 July 2021, very few companies will be fully POPIA compliant. “ITCs or small businesses like mine will not be POPIA compliant (by the deadline), mainly because it is very difficult and long term.”

According to Elizabeth, POPIA covers three broad areas. The first is information security. This refers to looking after the confidentiality, integrity and availability of the information you hold. Most people believe that only the confidentiality of information is the principal aspect of information security, but it also includes making sure your information is of a high quality and that the information is accessible regardless of the situation.

The next area is privacy, this relates to what type of information you have and what you’re allowed to do with that information.  Lastly, the third area is recording management, that is, what information should be kept.

Elizabeth gives six rules of thumb when it comes to protecting personal information:

  1. Less is more: Use the least amount of personal information and processing. Review your forms so you can spot over-collection of personal information and see how your business processes could be more efficient.
  2. No surprises: Would the data subject be surprised to learn that we do this with their personal information? If you’re using personal information for unusual reasons, make sure you have a legal basis, but also tell data subjects what you are doing in your privacy notice.
  3. Don’t share information without protection: Don’t share personal information with external parties without a contract which explains who is responsible for what. Ascertain whether you have a legal basis for sharing that information.
  4. Check yourself:  When you are doing something unusual, trust your gut. Ask yourself: what if this was my personal information?
  5. Use it or lose it: Personal information should only be retained for as long as necessary to achieve the purpose for which it was collected, so do a spring clean, don’t be a hoarder and destroy things securely.
  6. Destroy it, don’t spread it:  It is harder to get rid of personal information than you think. Bins are dangerous – 90% of identity theft starts with a piece of paper. Make sure you destroy personal information is a secure way and keep proof of what you destroyed, when and how.

Most importantly, Elizabeth advocates paying particular attention to your information security. This is especially relevant for small businesses. According to Verizon, 42% of cyber-attack victims are small businesses, and nearly 60% of SMBs fold within six months following a cyber-attack.

“If you take nothing out of today’s webinar, please increase your cyber security, 47% of small businesses get compromised. Although it is not cheap it doesn’t have to be expensive,” says Elizabeth.

She also outlines a few things travel businesses could do improve their POPIA compliance by 1 July:

  • Set Up a Compliance Framework: A policy that outlines what you do to be POPI compliant. This includes your policy on data privacy, records management and information security management.
  • Check that you comply: Have a conversation and get a handle on what you do. List all the activities that you perform with personal information. Talk through the policies: what do you right, what do you wrong? Make some decisions on what is important to fix and, by when you will do it. Keep a track record of what you’re doing and your reasons for making them because you may be called on to defend them in future.
  • Register your information officer: Form on the regulator’s website to complete (mandatory) before 30 June 2021. From 1 May this will be open.
  • Review your forms and terms: Remember less is more. Do you need it all? Remember, no surprises! Are you transparent about what you collect and what you do with it? Have a privacy notice. Check that you have a legal basis for each piece of personal information. Are your terms recording all of your purposes and are your forms efficient and user friendly?
  • Have a Privacy Notice: You will need one for each data subject. Google it!
  • Have a PAIA Manual: From 30 June must have a PAIA Manual. Just Google it!
  • Share with care: Be careful when you share information with other organisations. Think about whether you have a handle on who you share what information with? Do you know why you share that information? Who is responsible for POPI compliance? Is there a contract in place that contains a data protection clause? Does the data subject know that you are sharing the information?
  • Check your security now: Get an information security firm to audit your systems. It is worth spending the money to check that your data is secure.
  • POPI is a people problem: Tech on its own is not going to solve all your POPI problems. Solution is training and information. Employees will not act out of malice generally. Lack of information and training can cause mistakes.

It is all good and well knowing the theory behind what POPIA is and what you need to do, but what methods can you employ to become more secure?

An important point to ensure POPIA compliance is to use email sparingly when it comes to sharing data. Applications and company-controlled technology are much better options as they are more secure, and you are able to decrease your personal risk. Examples of these are SharePoint and Microsoft Teams. If you must use email, lock your attachment with a password which can be sent via a different communication platform such as WhatsApp. Also remember to ‘BC’ versus ‘CC’ other people in the email when you are emailing large groups – just to make you don’t inadvertently cause a data breach!

Finally, POPIA is something that takes time. Elizabeth says you need to be able to show that you behaved “reasonably”. One of the key take-aways is that you must show that you have done the best you can to become POPIA compliant, check that your security is up to date, use common sense and keep your staff trained at all times because POPI is after all “a people problem”, not just a tech problem.

To view the POPIA Compliance webinar with Elizabeth de Stadler, click here or check out these handy POPI resources by clicking on the links below