Investing with safety in mind
This article was first published in the Quarter 3 2021 edition of Consider this. Click here to download the complete edition.
- Personal data is becoming more valuable, and is under threat from increasing leaks, hacks and misuse. The Protection of Personal Information Act (POPIA) came into effect on 1 July 2021 with the goal of ensuring every individual’s personal information stays safe.
- Companies using personal data have had to improve their security through new IT systems and processes, staff training and awareness, and other measures. For example, Prudential introduced password-protected client communications from 18 June.
- Companies have also set up mechanisms to deal with security breaches, complaints and rectification, and individuals can lodge complaints with the Information Regulator.
The value of data to a business is immeasurable. It is used in the day-to-day functioning of the business, in the development of processes to provide exceptional service and products to its clients, and as a tool to measure success. Data is a very broad term that encompasses a business’ proprietary information as well as the personal information of its clients. It is this latter set of data that has become increasingly topical and in need of specific protection by the law, given the proliferation of its use in unintended ways and the increase in hacking and data breaches.
Arguably, your personal information is of greater value to you than anyone else. Should that information land in the wrong hands the consequences thereof are potentially dire, and may lead to great harm and loss. It is on this basis that several countries, including South Africa, have pushed for greater protection of client information by any party that possesses that information. Globally, changes to data protection laws have developed gradually, for example the European Union (EU) enacted the General Data Protection Rules (GDPR) in 2016, which came into effect in 2018 -- but many countries have yet to enact any specific data protection laws.
For the purpose of this article, our focus is the law directly governing the protection of personal information in South Africa, the Protection of Personal Information Act of 2013 (POPIA). Although POPIA was signed into law in 2013, it has undergone a long process of gestation, with the main provisions of POPIA coming into effect only recently, on 1 July 2021. As a South African company, Prudential must comply with POPIA to ensure that our clients’ personal information is always protected and processed lawfully.
Just what is POPIA?
As the name indicates, POPIA is the primary law in South Africa responsible for ensuring the protection of personal information of natural and juristic persons (e.g. companies). This is a significant difference with the EU’s GDPR, a which only protects the personal information of natural persons. The Constitution of South Africa provides all with the right to privacy, and POPIA is one of the tools that gives practical application and teeth to this general constitutional right. POPIA governs any processing of your personal information in South Africa and imposes certain minimum requirements for this processing.
Personal information is defined broadly in POPIA, but in short refers to any information that can identify you or is capable of identifying you. By personal information we do not mean general, statistical, aggregated or anonymous information, or other derivative data that does not, alone or with other data, identify a specific individual or person. Rather, examples of personal information include names, ID numbers, banking details, nationality and financial information. Another important term to understand is “processing”, which is also very broad and includes anything done to personal information such as collection, storage, retention, distribution and deletion of personal information.
In most cases clients provide their personal information to companies voluntarily for the provision of services or products. In the context of Prudential, as a client you would provide us with your personal information to ensure that we open an account in your name, administer the account, manage the assets you have entrusted to us, communicate with you, and collect and pay money to you.
Prudential is what is referred to as a “Responsible Party” under POPIA, which simply means we create the rules for the collection and usage of client information. In terms of POPIA, these rules are legitimate when we have a legal obligation or business need to ensure you are provided with services. However, it further and more importantly states that we are bound to use the information only for the purposes it was collected for and, where applicable, dispose of it when it is no longer required. This means that we may not provide your information to any unauthorised person without your consent, but instead ensure we have measures in place to guard against this, and consistently and diligently ensure that the processing of your information is in line with the provisions of POPIA and other applicable laws.
How do we protect your personal information?
There have been numerous cases of breaches of client data both globally and locally, and POPIA is meant to create obligations on all Responsible Parties to ensure that they have: 1) both operational and technical safeguards and measures to proactively guard against any breaches; 2) mechanisms for how to deal with breaches; and 3) an avenue for any person that has had their rights under POPIA infringed to request rectification or lodge a complaint. The body responsible for ensuring compliance with POPIA is the Information Regulator, and it has put in place measures to deal with any non-compliance by Responsible Parties and, more importantly, is open to the public to lodge complaints.
Despite the main provisions of POPIA only coming into effect recently, this does not mean that Prudential has previously taken these fundamental rights to privacy lightly. It has always been a cornerstone of how we conduct business to ensure that a high level of trust is maintained between ourselves, our clients, their intermediaries and our employees. This includes ensuring that our information technology systems are on par with best international standards and regularly tested; that our staff is adequately trained on an ongoing basis; that we have appropriate agreements with all our service providers so that they too are kept to this standard (because we are ultimately responsible for ensuring the protection and confidentiality of client information); and that we at all times keep an open avenue of communication with our clients.
Since POPIA is a new law, there is little to use as a yardstick or case law to assist with its interpretation and implementation. While this will inevitably lead to teething problems, we are confident that we have put the right measures in place to ultimately protect those that have entrusted us with their investments, and we will adapt accordingly as we receive further guidance.
Despite this being new terrain, the basic principles of privacy and confidentiality have always been a part of our business, and we have endeavored to ensure any changes that we make do not adversely affect how you interact with us. Where possible we have tried not to affect the client experience onerously.
Among the more noticeable changes we have already implemented, for example, you may have seen that from 18 June we added more security measures and encryption to all our email correspondence that contains information relating to your Prudential investments, including your investment statements and tax certificates. Your emails are therefore now password protected.
Aside from the communications that we are required to send to you (such as statements and product updates), we will also continue to provide you with articles and webinar invitations to better understand our business and investment philosophy, our products and any changes to them, and the often-turbulent environment in which we operate. This includes sharing market, economic and product information and any events and competitions we may be running. Your ability to opt out of these communications remains, and we will ensure that the process is clear and hassle-free.
Prudential is supportive of this legislation and any legislation that has client interests at its center. We will continue to treat your information with the utmost care, and endeavour to communicate only that information that we are obliged to send, or that we believe is useful and of value. We will also continue to engage you to ensure that our services are suitable and of a high standard. As always, we value any suggestions you may have to better improve our services and only provide you with the information you need and wish to have.