By Tracy Bolton, director: General Business at SAP Africa
On 25 May this year, a new piece of legislation came into effect in Europe that could have severe consequences for non-compliant South African businesses. The General Data Protection Regulation – or GDPR for short – is a regulation under European Union law that aims to give control over personal data back to EU citizens.
The regulation applies to any organisation that collects or processes data from EU citizens, even when that citizen or organisation is based outside the EU. The European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life”. This includes names, home addresses, photos, email addresses, bank details, social media posts, medical information, or even a computer’s IP address.
The fines for non-compliance are severe and could spell the end of a business practically overnight: the maximum fine is as much as €20-million, or nearly R300-million. What’s more, the regulation is far-reaching: any company with an EU citizen among its workforce, or a customer based in the EU, or even if only one of the subscribers to a company newsletter is based in the EU, that company can be held liable under GDPR. Few if any mid-sized South African firms could afford such a steep sanction, and legacy issues compound problems around compliance, increasing their risk and potential liability.
In response, technology firms are taking unprecedented steps to ensure they and their customers remain within the confines of the new regulation, especially considering the volume of trade and collaboration between African countries and their European counterparts.
Legacy processes add complexity to compliance
Most mid-sized firms have deliberately or inadvertently built up internal siloes related to how customer, business and other operational data is stored. For example, in a typical retailer’s marketing department, the data storage systems that processes newsletter subscriptions via email may be entirely removed from and non-integrated to the WhatsApp number where much of the customer communication takes place. This means a customer that unsubscribes to a newsletter via WhatsApp may still receive the newsletter until such a time as the retailer can integrate the two sets of data.
As GDPR comes into effect, companies will not only stand liable for fines should the above scenario play out, but they need to be able to provide customers with complete clarity on how their data is stored and managed at any point in time. Any costs incurred in the process of showing how customer data is stored is also for the company’s own account, which adds not only complexity to standard business processes but also potentially additional costs.
Considering the prevailing trust deficit between consumers and brands, the potential of being exposed for treating confidential customer data poorly is immense. Once trust is breached, affected customers are unlikely to engage with the brand again, and will leave a searchable and public trail of comments on social media for all to see. The recent case of Facebook – which now faces a fine of as much as $2-trillion – has brought this to the forefront of consumer consciousness, but other examples of poor customer data management abound.
On the basis of consent
For South African businesses, however, new technology tools could play an invaluable role in mitigating risks associated with GDPR and its South African counterpart, POPI. A recent investment by SAP into Consent is simplifying the business processes associates with creating trusted digital experiences within the limitations of GDPR and POPI compliance.
Part of the SAP Hybris suite of applications, Consent enables SMEs to centrally manage customer preferences and consent settings throughout their full lifecycle, while putting them in control of their own data. Consent enables companies to be transparent, gain loyal customers and protect their business from costly fines as well as potentially disruptive business processes related to proving to customers how their data is being stored and managed.
In line with modern business demands, Consent is also provided in the cloud, making it quick to implement and easy to prove ROI. Every time a policy changes, customers can receive an automated notification that they actively accept, with a record of such forms of consent stored centrally to allow SMEs to quickly and accurately prove responsible customer data management.
Whether you run an online retailer with customers around the world, or a news website where a European citizen may occasionally offer a comment on an article, GDPR holds inherent risks to your business. But with the correct technology tool, a potential R300m liability can be transformed into a competitive business advantage that furthers the cause of trusted and trustworthy digital customer experiences.
Seems an easy choice, no?
Since the Information Regulator South Africa – IRSA – came into office in December 2016, the pace has been picking up in the market for Protection of Personal Information Act (POPIA) products and services.
This has had a spill-over effect on the Promotion of Access to Information Act (PAIA), which also forms part of the responsibilities of the IRSA.
Unfortunately not only has the pace picked up but there has been some confusion sown through what might best be described as questionable marketing practices and erroneous reporting. One contact of mine recently received an email which included the following statement “The Promulgation of POPI, (The Protection Of Personal Information Act) in the Gazette on 26 November 2013 now means you are required to update your PAIA Manual to incorporate the POPI.”
This is misleading, since the Government Gazette did not include the commencement of the POPI Act or even the commencement of the transition period. The same marketing email continued with the statement “ALL information users now must have strict chain-of-custody processes in place.” This is far from the case, as the POPI Act makes no reference to a “strict chain-of-custody”. In similar vein the email stated “Businesses or persons who use/hold/verify or even request your Personal Information MUST now conform to the Act.” Not true.
This will only be so under certain conditions once the POPIA transition period has ended and right now it has not even started.
The same email then offers to help with the appointment of a “Compliance Officer”. No such individual is mentioned or required in terms of either POPIA or PAIA. What is required is an Information Officer, possibly supported by one or more deputies depending on the needs of each organisation. In September the IRSA issued a set of draft regulations which included specific reference to the role and duties of the Information Officer, more about which is available at the IRSA web site.
Perhaps of greatest concern is the statement that “at (name withheld) we made it very easy for you to get compliant in a simple and completely tax deductible manner. It takes you about 10 minutes to complete this process on our website.” Given the duties outlined in the IRSA draft regulations this statement should at least be seen as misleading.
This and other marketing emails that I have seen also push organisations to create or update a manual to comply with PAIA. In truth there are numerous exemptions to that requirement. To check whether you need to publish a PAIA manual please refer to the notice that appeared in the Government Gazette on 11 December 2015, signed by the then Minister of Justice and Correctional Services. For a free copy of the notice visit www.gpwonline.co.za and search for edition 39504.
Not only commercial organisations are guilty of mis-stating the facts. The Star newspaper ran an article in the Saturday Star Personal Finance column during September 2017 which contained the statement “The 12-month grace period to comply with the PoPI Act has expired, and the legislation is being applied in the public and private sectors.” That is factually incorrect and I wrote to the author of the article twice in an attempt to have this incorrect statement corrected.
One of my letters (in part) appeared in the Personal Finance column on Saturday 30 September 2017 under the heading “Incorrect correction about PoPI Act”. The explanation of the true state of affairs was published along with an apology to me personally from the editor.
I repeat those contents below for completeness:
“On September 23 2017 on page 21 in the Personal Finance section an item appeared titled “Correction to article on PoPI Act”. Unfortunately the correction itself is incorrect. To state that the “12 month grace period for market compliance is now in force” is factually incorrect. The only sections of the PoPI Act that have commenced refer to the definitions of the Act and those provisions allowing the establishment of the Information Regulator South Africa (IRSA). These appeared in the Government Gazette in April 2014.”
In summary, be sure you are dealing with reputable sources when seeking advice on how and when to comply with new legislation in general and POPIA and PAIA in particular.
By Dr Peter Tobin
The South African Revenue Service (SARS) has done over 100 inspections of “cash and carry” businesses in Gauteng in the past month, it said in a recent statement.
About half of the businesses inspected did not comply with SARS’ rules regarding registration, filing or payment.
“SARS is closing in on those who under declare on their tax liability, both individuals and companies. We encourage all taxpayers to ensure their affairs are in order and they are contributing their fair share towards the cost of running the country,” says commissioner Tom Moyane.
The inspections of cash and carry businesses had seen several audit cases concluded, raising tax assessments for the past financial year by more than R600-million.
“There is a significant risk of under declaration due to poor record keeping and high volumes of cash transactions in this sector,” SARS says.
Registrations were now being conducted, with follow-ups on outstanding returns, collection of outstanding debt and further risk profiling for full audits where there was evidence of under declaration and collection of outstanding debt.
Compliance in any facet of business management is critical, but specifically when it comes to finances – hence the focus on accuracy and efficiency in payroll administration.
While payroll administration has always been demanding and has to be run by skilled practitioners with meticulous attention to detail and a heightened sense of responsibility, HCM and HR experts agree it has become complicated.
Businesses are compelled to be registered with various industry bodies, for example Department of Labour (UIF, Employment Equity, etc.), Commissioner of Occupational Injuries and Diseases (COID, FEM, RMA), SARS (PAYE, SDL, UIF), Bargaining Council and so on.
This level of industry compliance means that there are a number of common pitfalls that typify payroll administration.
Some of these pitfalls include incorrect calculation of statutory deductions, failure to submit statutory submissions for example Department of Labour (UIF19, EEA2, EEA4 etc.), Commissioner of Occupational Injuries and Diseases (COID, FEM, RMA), SARS (EMP501, EMP201) and so on.
“The financial penalties for being non-compliant are very harsh,” says Ian McAlister, GM of CRS Technologies.
“And there are minimum requirements to be factored in, stipulated by the various Acts. There are several levels to compliance and this can be tricky for many businesses to handle – especially small-to-medium businesses that may not have the available capital to invest more in their payroll/HR capacity.”
According to HR and HCM solutions and services provider CRS Technologies an automated payroll for a small business generally starts at about R15 per employee, per month if run in-house.
“Outsourced payroll in the region of R100 per payslip per month. A competent payroll administrator would earn about R30k per month,” says McAlister.
Going forward, the likelihood is that as payroll administration calls for more specific skills sets, legislation will be passed that will make it an offence to not run payroll on a recognised payroll system.
The company believes that it is next to impossible to run a compliant payroll on a spreadsheet.
The full force of new legislation relating to consumer rights, electronic communications and data protection which takes hold this year poses a major challenge for SMEs who will have to comply with its onerous requirements, Matthew Balcomb, CEO of Call Cabinet Southern Africa.
The Payments Association of South Africa (PASA) has mandated that all South African ecommerce merchants must ensure the implementation of 3D Secure on their sites.