Is the Cloud Complicating PoPI Compliance in South Africa?

The insurance environment in South Africa is changing rapidly, driven by increasing regulation, competitive pressures and the development of new, innovative technologies. The Internet of Things (IoT), Big Data, Bring Your Own Device (BYOD) and similar disruptive technologies have created an inter-connected web of constantly evolving and shifting customer data. The growth of cyber-crime (which is advancing alongside the technologies) has the potential to create a data time-bomb. Insurers will need to ensure they are not only compliant in managing existing customer information, but also information that will be generated in the future by new technologies, while protecting against cyber-crime.

The Protection of Personal Information (PoPI) Act – which primarily governs the way personal

information is collected, retained, used, disseminated, and deleted – will further stretch South African organizations, including insurers. There is little doubt that PoPI compliance will be a major challenge for insurers, who will have to change the way they store, handle, process, and report on breaches of their customers’ personal information. Basically, PoPI compliance involves capturing the minimum required personal information, ensuring its accuracy and security, and removing information that is no longer required from their software.

Customer information that enables an insurer to profile or identify a customer, or their interests, offers significant strategic value in today’s highly competitive insurance marketplace. As a result, insurers are constantly striving to increase the quality and depth of their customer data. Over time, though, the rights of customers to privacy and confidentiality may have gradually eroded. In some instances, this has given rise to sub-optimal information management practices.

Irrespective of the pressures to comply with regulatory data requirements, in today’s connected world insurers must put in place the software, structures, processes and governance controls to ensure data is secured, processed, and managed properly. This will be exceedingly difficult without modern policy administration systems (PAS) and digital customer engagement technology.

Clouding the Issue

Perhaps one of the most interesting aspects of PoPI to consider is the utilisation of a cloud-based environment and whether personal data may be stored outside of the borders of South Africa. PoPI seeks to strictly enforce data sovereignty and prevent some offshore data flows. With cloud computing, and specifically the public cloud, data that insurers generate will probably reside on servers outside the legal or territorial border of South Africa. This means, in practice, that personal information of a customer may be subject to a foreign data regulatory regime, such as GDPR.

To be clear, PoPI does not expressly prohibit the transfer of customer data outside of South Africa. But it does regulate how personal information may lawfully be transferred internationally. Cross-border data flows are not prohibited. Instead, PoPI acts as an enabler and protector of personal information by providing a set of five conditions that a responsible party needs to apply. These conditions seek to protect a data subject’s personal information as it moves offshore. If none of these conditions are met, a data subject’s personal information may not be transferred outside of South Africa.

Insurers will have to ensure that the safeguards required by PoPI are addressed by implementing appropriate controls to ensure that any cloud environment that the insurer operates is secure and compliant. If not, a breach of this information could have a considerable impact on data subjects and the insurer.

For additional information, please check out my NEW white paper: PoPI Challenges and Solutions for South African Insurers. It examines the challenges facing insurers on the road towards full PoPI compliance, as well as some new developments that will likely result from the regulations, and how insurers can maximise those opportunities.

Read more about Sapiens’ insurance software and related Sapiens’ solutions.

Share this blog post
Share Button
Brian Heale

Brian Heale

Brian Heale is a senior insurance consultant with Sapiens. He is an international insurance, risk, product, and technology specialist, with significant experience in strategic product management, developing core administration/BPO and actuarial/risk modelling solutions for the global insurance industry. He possesses in-depth knowledge of the South African and UK markets and the major regulatory initiatives, including PoPI, GPDR, RDR, IFRS 17, and Solvency II.

More Posts