Earlier this year Elizabeth wrote a useful article entitled ‘5 Reasons why POPI Compliance Matters’. While Elizabeth’s article addressed why POPI compliance matters, this article focusses on what happens if you don’t have POPI compliance.
If you are a compliance officer, these are the sticks you can use to get the business to commit to (and spend money on) good data governance.
- You lose personal information (and trust). Often businesses don’t appreciate the fact that customers provide personal information to them because they trust them to keep the personal information safe and use it for the purposes for which it was given. However customer surveys clearly show that a data breach makes customers likely to bring legal action against the company and – more insidiously – results in customers being less willing to share their personal information. According to a research paper by authors from Carnegie Mellon University and Harvard University the impact of privacy incidents on a company’s share price is ‘significant and negative, although it is short-lived’. In other words, you are quite literally worth less money after a breach of privacy. (Check out this infographic on the world’s biggest data breaches since 2010.)
- You cannot interact with other companies. Privacy and the protection of personal information has gone global. This means that if you are not respecting personal information foreign companies and governments will not want to work with you. Often this isn’t even a choice. For example the new EU Data Regulation devotes the entire of chapter 5 to whether (and how) personal information can be transferred to third parties. Put simply, you will not be able to work with other companies if your company does not respect personal information.
- Your reputation is harmed. A data breach almost always results in reputational harm. If you are wondering whether this can have an impact on profit, read this Forbes article on the actual cost of the Target breach (hint: profits fell by a third in that year). This remains true even if the data breach could not have been anticipated and everyone did everything they could have. What is less obvious is that the Information Regulator to dictate the way in which your data breach will be publicized. So, for example, the IR may require you to publish the fact that you had a data breach in the Sunday Times (getting that sinking feeling?).
- You will spend less money on lawyers. Often the cost of a failure to consider legal compliance seems difficult to assess. Why would you spend good money on compliance when you could use it for marketing and sales? The simple reason is that compliance reduces the legal risk for your company. This in turn means that you have less disputes and the disputes you do have you tend to win. Never underestimate just how expensive litigation can be. (Remember that you also have to worry about the Information Regulator imposing administrative fines of up to R10 million per incident). Prevention really is better than the ‘cure’.
While making sure personal information is protected is old news for countries in the European Union (the EU Data privacy directive was published in 1995 and updated in 2016), the change in mindset from ‘personal information of my customers/employees/suppliers is an asset that I have exclusive control over’ to ‘customers/employees/suppliers have rights to see, update and object to the us using their personal information and to hold us responsible for what we do with their personal information’ is a surprisingly large mind-shift. In fact, we always recommend that a change manager is used for projects as people naturally resist change (it’s just what people do) and developing good strategies to make sure the company culture changes is often vital for a successful POPI project.