The business environment in South Africa is changing rapidly, driven by increasing regulation, competitive pressures and the development of new, innovative technologies. The Internet of Things (IoT), Big Data, Bring Your Own Device (BYOD) and similar disruptive technologies have created an interconnected web of constantly evolving and shifting customer data. The growth of cyber-crime (which is advancing alongside the technologies) has the potential to create a data time-bomb. Insurers will need to ensure they are not only compliant in managing existing customer information, but also information that will be generated in the future by new technologies while protecting against cyber-crime.
The Protection of Personal Information (PoPI) Act – which primarily governs the way personal
information is collected, retained, used, disseminated, and deleted – will further stretch South African organizations, including insurers. There is little doubt that PoPI compliance will be a major challenge for insurers, who will have to change the way they store, handle, process, and report on breaches of their customers’ personal information. Basically, PoPI compliance involves capturing the minimum required personal information, ensuring its accuracy and security, and removing information that is no longer required from their software.
Customer information that enables an insurer to profile or identify a customer, or their interests, offers significant strategic value in today’s highly competitive insurance marketplace. As a result, insurers are constantly striving to increase the quality and depth of their customer data. Over time, though, the rights of customers to privacy and confidentiality may have gradually eroded. In some instances, this has given rise to sub-optimal information management practices.
Irrespective of the pressures to comply with regulatory data requirements, in today’s connected world insurers must put in place the software, structures, processes and governance controls to ensure data is secured, processed, and managed properly. This will be exceedingly difficult without modern policy administration systems (PAS) and digital customer engagement technology.
CLOUDING THE ISSUE
Perhaps one of the most interesting aspects of PoPI to consider is the utilisation of a cloud-based environment and whether personal data may be stored outside of the borders of South Africa. PoPI seeks to strictly enforce data sovereignty and prevent some offshore data flows. With cloud computing, and specifically the public cloud, data that insurers generate will probably reside on servers outside the legal or territorial border of South Africa. This means, in practice, that personal information of a customer may be subject to a foreign data regulatory regime, such as GDPR.
To be clear, PoPI does not expressly prohibit the transfer of customer data outside of South Africa. But it does regulate how personal information may lawfully be transferred internationally. Cross-border data flows are not prohibited. Instead, PoPI acts as an enabler and protector of personal information by providing a set of five conditions that a responsible party needs to apply. These conditions seek to protect a data subject’s personal information as it moves offshore. If none of these conditions are met, a data subject’s personal information may not be transferred outside of South Africa.