The PoPI Legacy System Headache in South Africa
Compliance with the Protection of Personal Information (PoPI) Act is not simply a nice-to-have for South African insurers – it’s an absolute must! The potential of large fines and resultant bad publicity for those who are non-compliant could badly damage insurers’ reputation and share price. However, complying with PoPI is difficult given the complex spaghetti of administrative, customer, and data systems, not to mention manual processes, that many large-scale insurers possess. It must also be remembered that most of a customers’ personal information is stored in policy administration systems and many insurers have multiple instances of such systems. As an extreme example, one large UK composite insurer maintains 27 different short-term insurance core administration systems and 39 core life systems!
Let’s consider two of the main challenges for complying with PoPI…
The Multiple Legacy System Headache
As noted above, many insurers have multiple policy administration, CRM and data legacy systems. This creates problems for PoPI compliance, as a customer’s data could be fragmented/replicated, and stored in several systems. Consequently, insurers will need to attach identifiers to all instances of a customer’s data and ensure that the data is only utilised when the customer has given consent, and for the purpose the content was provided. For example, personal data that a life insurance customer has given consent to use cannot automatically be utilised to market householders’ insurance.
Another aspect of the same problem is that insurers must be capable of ‘forgetting’ or deleting a customer’s personal data across all relevant system and ensuring that this data cannot be used. This effectively means deleting or destroying all personal data. Many older systems don’t have a ‘delete client data button’, and thus either special routines will have to be built, or a manual approach taken!
As an example, consider a customer with a number of different policies stored on several systems (a customer could have life, investment, and short-term policies with a single insurer). The insurer must either make these changes manually (expending time and resources), or develop an automated process that deletes all a client’s data across all relevant systems so that when a customer instructs the insurer to ‘forget me’, the request is automatically executed.
Identifying Personal Information
Insurers must be able to identify personal information. PoPI, unlike GDPR, clearly specifies what constitutes ‘personal information’. That definition includes the varied nature of the data elements (alpha-numeric characters, text, images, biological material, etc.), and the unstructured nature of some of the data elements (such as images and free text, correspondence, and ‘views or opinions’). Utilising personal information requires the customer’s express consent.
Currently, there aren’t any cookie-specific laws. If cookies or other tracking derived information is eventually deemed personal information, there would need to be reasonable grounds for justification to process this information
Personal information relating to children (under the age of 18) and special personal information (including private information relating to religious beliefs, race, trade union membership, health or sex life, biometrics, and criminal offences) are considered ‘sensitive’ and subject to onerous processing obligations.
An important role for the insurer’s information officer will be to determine the rules around defining personal information and being able to articulate that to the rest of the organisation. Regardless, insurers may only store and process personal information when necessary. For example, if a customer takes out household insurance, the insurer doesn’t need to know how many cars s/he drives or how many vacation days s/he takes.
For additional information, please check out my NEW white paper: PoPI Challenges and Solutions for South African Insurers. It examines all of the challenges facing insurers on the road towards full PoPI compliance, as well as some opportunities that will likely result from the regulations, and how insurers can maximise those opportunities.