Join Our Mailing List

HomeStart here
Magazine
Events
INTERACT
Library
Shop
Advertise
CONTACT US

News

POPI an opportunity for insurance companies to develop an

edge
Strategy / Sustainability
The Protection of Personal Information Act (PoPI Act) is making a significant impact on
businesses as they continue to scramble to ensure they are compliant with regulations.
Essentially, the purpose of the PoPI Act is to provide parameters for South African
businesses for the collection, processing, storing and sharing of any personal information
supplied to them, holding them accountable for any loss or abuse of any information they
possess.

PoPI mandates the following eight conditions for the lawful handling and processing of
information:

1. Accountability companies receiving information are now accountable for the manner
in which the information is handled, processed and disseminated; Client consent is
required before any Personal information is shared
2. Processing limitations - Personal information may only be processed in a fair and lawful
manner and only with the consent of the data subject;
3. Purpose specification - Personal information may only be processed for specific,
explicitly defined and legitimate reasons;
4. Further processing limitations - Personal information may not be processed for a
secondary purpose unless that processing is compatible with the original purpose;
5. Information dissemination and quality Information needs to be accurate and well
maintained, and only accessed or used by those who, by law, require access to the
information.
6. Openness - The person whose information is being collected must be aware that the
company is collecting such personal information, and why;
7. Security standards - Personal information must be kept secure against the risk of loss,
unauthorised access, interference, modification, destruction and disclosure;
8. Data subject participation - People may request information as to where their personal
information is held, as well as be involved in the correction and/or deletion of any
personal information held about them.

Information dependant insurance companies are finding themselves in a position of

needing to consolidate all their information in order to comply with these new conditions
no easy feat. But there are many underlying advantages to this process which
insurance companies can benefit from, if they embrace digitalisation and disruptive
technology.

Under the PoPI Act, any person who gives out personal details now has a right to be
informed about where their information is stored, what it is being used for and even how
many copies a business has of any supplied documents. This ensures companies are held
accountable for the manner in which they handle personal information, and companies
need to have information at their fingertips, while offering their clients full transparency
into their information, at any time. This is an arduous task for any paper-based insurance
company still using legacy storage systems and data silos.

Data driven insurance companies rely heavily on data warehouses and marts for the
storage, access and dissemination of information received. These warehouses and marts
need to ensure that the data they store is contained in a lawful manner and that they are
mindful of the processing limitations of PoPI. To comply with PoPI Insurance companies
need to gear up and start preparing for the additional administration which they will be
expected to do. Highlights of the requirements are:

Written agreements required with service providers to confirm compliance to POPI Act;
The need to be open to system inspections by clients, as well as being prepared to
provide data maps confirming storage and backup locations, and access management
and tracking;
The need to be able to show service providers landscape and back-end solutions to
verify that they are secured according POPI act requirements;
To ensure any cross-border data transfers comply accordingly, including mail and
mobile synchronisation;
To secure/encrypt all relevant transmissions;
The alignment of data retention policies between service providers and their clients;
That solutions include sufficient protection by design which are also ensured in delivery.

In order to comply with PoPIs condition, insurance organisations need to have a measure
of control over who accesses and uses the personal information they receive from their
clients, and for what purposes the information is to be used. Using Cloud technology,
insurance companies can safely store information in a centralised location, while
enabling automation and, because various departments can easily and quickly access
what they need without being able to tamper with the information unless expressly
permitted, processes also become faster and the whole customer experience is
enhanced.

Automation of data processing also carries additional benefits such speeding up

application and approval processes. Potential clients can complete an online application
and receive approvals within minutes as various data models allow for instant connection
to statutory bodies for the verification of the applicants address, financial status, legal
status, credit record and more. This easy access may sound alarming and
counterproductive to the PoPI Act, but the PoPI Acts security mandates also mean that,
while this information can be readily accessible with the right tools, it must also be
handled responsibly and safely.

Cyber security needs to be a priority of all insurance companies who are looking to
automate and centralise their data, particularly when they make use of cloud technology.
It is imperative that companies invest heavily in this from the outset and do not add it as
an afterthought. Regulatory bodies may impose fines of up to Ten Million Rand for
violation of the PoPI Act, which can be followed up by more fines and even imprisonment,
depending on the severity of the violation, so it is in a companys best interests to be
proactive with regards to security rather than reactive.

There is increased pressure on organisations to guard against cyber-attacks. Identity is

the common thread in many of these breaches. Protection is achieved by governing and
managing various rights, facilitating and controlling access, and monitoring user activity.

While it is certain that hackers are continually looking for ways to get inside
organisations, its no secret that most security breaches in companies are caused by
insider activity misuse, accidental, disgruntled employees or people being paid by
criminal elements. These miscreants recognise that the easiest way of accessing
information is to get hold of legitimate passwords. The methods they use to do this range
from straightforward spying to social engineering, and often target privileged users.

Quite often, the ultimate target for hackers is not the company data itself, but for
example customer records which can contain personal information, credit card details or
healthcare records. Insurers, who handle incredibly sensitive information, should
investigate implementing security measures across all layers of their network and data
management systems, and not just look at firewalls. Effective cyber security should
include ways multiple ways across all layers to manage identity to minimise breaches.

There are a number of emerging technologies that can help insurers to remain compliant
with the PoPI Act, and at the same time protect themselves against cyber threats, while
also providing a multitude of other benefits. Disruptive technologies such information
sharing and storing applications, the Cloud (although already a fairly entrenched
technology) and data mining tools such as social media analytics, all make for aiding
compliance while speeding up processing and improving the customer experience
through automation. It is vital, however, that these technologies be implemented
properly and with security at the top of mind to avoid them becoming the reason for non-
compliance.

The POPI Act is going to revolutionise how organisations manage personal information
and data. Although complying with the legislation is most certainly going to affect a
businesss bottom line, these costs will be significantly less compared to the fines
potentially placed on transgressors.

By relying on service providers who can lend their expertise and knowledge to the
recommendation and implementation of any new technology, insurance companies can
evade the potentially disastrous and expensive pitfalls of poor installation, unsuitable
technology, inferior cyber security systems and a data management system that doesnt
comply with the PoPI Act.

Jaqueline Van Eeden is the Financial Service Business Development Executive and Gavin
Holme is the Country Head at Wipro Limited.

Member Log In
Username
Password

Remember Me

Log in

Create an account
com_users user.login aW5kZXgucGhw 1

General

About
Contact us
HR Future
What people say

Services

Coaching
Corporate videos
Training

Get Involved

Advertise
Become a member
Events
Initiatives

Email Subscription

E-mail
 Subscribe

0 sub notask http%3A%2F%2Fw http%3A%2F%2Fw com_acymailing

159 formAcymailing38

Copyright Osgard Media 2016. All rights reserved.