The insurance environment in South Africa has received much attention of late and has had to evolve at a rapid pace, driven by increasing regulation, competitive pressures and the development of new, innovative technologies. Arguably the biggest change has been brought about by POPI and the revision of policies and practices pertaining to the collection, processing and retention of personal information by insurance companies.
Insurers as ‘responsible parties’ in terms of POPI are bound by the requirements for lawful processing of personal information and the regulations set the bar for the entire industry with each insurer having its own challenges to ensure compliance, depending on existing privacy protection practices.
Ensuring compliance can be an arduous process, but the cost of compliance with the Act must be assessed on a case-by-case basis, and, depending on the entity, the time for implementing the necessary processes can vary from weeks to months. In most instances, compliance extends beyond merely revising policies, but involves re-working existing information processing practices, and training staff.
Stephan Haynes, Associate at commercial law firm Gillan & Veldhuizen Inc., says that possibly the most imminent risk for the insurance industry, as with most industries, is that their existing internal policies and practices are non-compliant and therefore in contravention of the provisions of POPI. In addition, the non-compliance of intermediaries such as brokers also poses risk to insurers, especially in the case of smaller intermediaries that do not have the resources to ensure compliance with the regulations.
“Due to its inherent nature, it is common practice for the insurance industry to processes personal information and, in some instances, special personal information. The systems for collecting, processing and storing personal information will have already been established and so will now require updating, bearing in mind POPI’s principles for processing personal information,” Haynes adds.
There are eight conditions or guidelines set out within the Act that determine whether the processing of information is lawful; however, these conditions establish the minimum requirements and should by no means be ranked in order of preference for compliance purposes. Insurers must adapt a holistic approach to ensure that all eight principles are complied with, failing which their actions will be deemed as ‘unlawful processing of personal information’.
Non-compliance can result in huge fines for insurers. The Act makes provision for offences, penalties and administrative fines of up to R10 million. In addition, non-compliance may lead to an action by data subjects for civil damages based on the breach of statutory duties. The most damning effects of non-compliance could be the public reaction for disregarding the security of data subjects’ personal information, which reputational damage could easily outweigh the harshest of administrative fines. “In a time where consumers place high value on the protection of their personal information, the reputational risk of non-compliance cannot be overstated,” states Haynes.
In general, compliance constitutes good corporate governance and reduces the risk of the entity which not only safeguards the corporate controllers but benefits its stakeholders.