The Ashley Madison fiasco: The ramifications of not complying with the POPI Act

On the 27th November 2013, President Jacob Zuma signed the Protection of Personal Information (POPI) Act into law. With such a broad scope, the POPI Act will affect almost every business in the country – especially companies planning events, which involve the storage of personal information of hundreds of guests. The ramifications of not protecting sensitive information stringently enough was demonstrated by the recent Ashley Madison debacle, where millions of members had their cardholder data breached.

The Act affects the processing of any kind of personal information of “identifiable, natural, living person[s] and juristic person[s] (companies, CCs, etc”, including contact details, demographic information, medical and employment records and even personal correspondance. After a commencement date is set, businesses will have one year to become fully compliant with the Act.

Millions of Ashley Madison’s users had their person information leaked

In July this year, dating website Ashley Madison (made famous by the fact that it facilitates extramarital affairs) was hacked by a group calling themselves The Impact Group. Millions of users’ account information was stolen and later leaked. The aim of the breach was to try and force the dating website’s parent company Avid Life Media (ALM) to shut down after The Impact Group accused ALM and its members of “fraud, deceit, and stupidity”.

Enforcing strict data processing policies could have avoided the data breach

The reason this hack was possible in the first place was due to ALM’s policy of storing users’ real names, email addresses, real addresses and credit card transactions indefinitely. If a user wants their account deleted, they must pay the equivalent of R253 – and even after the account has been deleted the company still keeps their data. The data leak that occurred on the 18th and 20th of August proved this. According to the technology blog The Verge, the company made R2.3 million in 2014 from this erroneous delete option.

Complying with the act will benefit your organisation in the long term

The Ashley Madison data leak didn’t only create bad press for the company – it had terrible implications for its users. The risk of data breaches – including fines, legal issues and damage to your company’s image – is reduced by complying with the POPI Act. Complying with the act demonstrates you operate with complete transparency, instilling greater confidence in your customers and stakeholders. By complying with POPI you’ll be only be storing data you absolutely need and destroying that which you don’t. This will help improve the integrity of your databases.

How you comply with POPI depends on the nature of your organisation

There are different requirements for complying with the POPI Act depending on the nature of your organisation. Even though your company might operate in a highly regulated environment and comply with other regulations relating to protecting sensitive personal information, it might not satisfy all the POPI Act criteria. You will still be required to comply with the POPI Act in full.

Prepare to become POPI Act compliant sooner rather than later

Many firms underestimate the amount of work required to become POPI Act compliant. While in South Africa we are still awaiting confirmation for the date that the POPI Act will come into effect, companies would do well to begin working towards becoming compliant with the act. The Ashley Madison fiasco is one of the worse potential scenarios that can ensue from failing to protect personal information.

 POPI Act compliance is an important part of event planning

Planning an event involves pooling as much information about your guests’ and their preferences as possible. You do this to ensure you create an event that both resonates with them and achieves your marketing objectives. Even basic information like names, email addresses, dietary requirements and spouse names needs to be protected and processed in line with POPI requirements. By using corporate event planning software that’s POPI Act compliant, you can rest assured that any data you manage with it complies with the act.

For more information about how POPI compliant corporate event planning software can help you avoid the nightmare of not processing and protecting sensitive information securely, download our Event Compliance Checklist.

Image Credit: garbamar.it

xxShare this post