Font Size: 

Traditionally, companies conducted business in the physical world where the protection of corporate information/data could effectively be achieved through the implementation of physical security measures such as security guards, alarms or chain-linked fences. For some time now, however, companies have been conducting business in a digital corporate environment that is faceless, borderless and anonymous. The use of the internet, email, and other electronic communication systems is now part and parcel of everyday corporate life. Almost all transactions can be concluded electronically and proof of and information regarding these transactions are often only stored electronically. Gone are the days when management had to ask their employees whether or not they would be able to obtain certain information. The problem of a shortage of information is an unpleasant distant memory. The questions that now give management sleepless nights relate to the protection of sensitive information/data. Who has access to the information? How long will they people have access? What are they able to do while having access? How can their access be terminated? And who has the authority to change access? These are the vexing questions that haunt management at present.

Corporate South Africa has come to realise that the right to collect, store, use, communicate and transmit confidential and/or sensitive corporate information that the law affords one today, comes with a corresponding legal obligation to protect the confidentiality, integrity and availability of such information. Put differently: Companies have come to realise that they are at present legally obliged to provide data protection. They know that failure to honour this obligation can lead to abysmal legal consequences. It is, however, not only companies that are waking up to the data protection and privacy challenge. Worldwide, legislatures have also come to recognise the increased importance of information data protection and have reacted by developing certain statutory and regulatory provisions pertaining thereto. The legal position in South Africa is no exception. In the past, corporate South Africa has only been provided with a patchwork of suggestions and recommendations on the development and implementation of a data protection infrastructure in their companies. One of the major deficiency encountered in South African legislation relating to data protection is the lack of control such legislation affords individuals, not only over who has access to their personal information, but also for which purposes it may be used and to whom it may be transferred. As a result of this lacuna the situation often occurs that individuals do not know that their personal information has been disclosed until they suffer some type of financial loss or fall victim to identity theft. The proposed Protection of Personal Information Bill has been introduced to address these deficiencies. This Bill is said to be enacted in 2009 and will undeniably change the manner in which corporate South Africa’s data protection practices. This paper will provide companies with practical guidance on how to become compliant with the Bill and highlight potential legal pitfalls for companies.