Insurers are ‘responsible parties’ in terms of PoPI are bound by the requirements for lawful processing of personal information and the regulations set the bar for the entire industry with each insurer having its own challenges to ensure compliance, depending on existing privacy protection practices.
Ensuring compliance can be an arduous process, but the cost of compliance with the Act must be assessed on a case-by-case basis, and, depending on the entity, the time for implementing the necessary processes can vary from weeks to months. In most instances, compliance extends beyond merely revising policies, but involves reworking existing information processing practices, and training staff.
Possibly the most imminent risk for the insurance industry, as with most industries, is that their existing internal policies and practices are non-compliant and therefore in contravention of the provisions of PoPI In addition, the non-compliance of intermediaries such as brokers also poses risk to insurers, especially in the case of smaller intermediaries that do not have the resources to ensure compliance with the regulations, says Stephan Haynes, associate, Gillan & Veldhuizen Inc.
“Due to its inherent nature, it is common practice for the insurance industry to processes personal information and, in some instances, special personal information. The systems for collecting, processing and storing personal information will have already been established and so will now require updating, bearing in mind PoPI’s principles for processing personal information,” Haynes says.
There are eight conditions or guidelines set out within the Act that determine whether the processing of information is lawful; however, these conditions establish the minimum requirements and should by no means be ranked in order of preference for compliance purposes. Insurers must adapt a holistic approach to ensure that all eight principles are complied with, failing which their actions will be deemed as ‘unlawful processing of personal information’.
Non-compliance can result in huge fines for insurers. The Act makes provision for offences, penalties and administrative fines of up to R10m. In addition, non-compliance may lead to an action by data subjects for civil damages based on the breach of statutory duties. The most damning effects of non-compliance could be the public reaction for disregarding the security of data subjects’ personal information, which reputational damage could easily outweigh the harshest of administrative fines. “In a time where consumers place high value on the protection of their personal information, the reputational risk of non-compliance cannot be overstated,” says Haynes.
In general, compliance constitutes good corporate governance and reduces the risk of the entity which not only safeguards the corporate controllers but benefits its stakeholders.
