Professor Mervyn King on POPI and Corporate Governance

Speaking at a seminar on POPI on 29 August 2017, professor Mervyn King started his presentation by pointing out that King IV separates technology from information. Professor King explained that this was because of the importance of separating the protection of personal information and the access to personal information.

King stated that a cyber breach is a much greater risk today than disaster recovery, emphasising the importance of information security in a world of cybercrime. “Hackers exploit an ecosystem built around a model of open collaboration and trust,” King said, and the estimated 100 000 daily breaches on listed companies worldwide underline the magnitude of this problem.


In order to protect personal information, King raised the following key points:

POPI recommendations to protect personal information resized

The basis of the POPI Act

King explained that the basis of the POPI Act is that organisations need to conduct themselves responsibly, stating that this is the cornerstone of the King report: responsible corporate citizenship. Organisations should not only be responsible but should be seen to be responsible corporate citizens. Part of this responsibility is to protect the information inside the organisation, to be responsible when it comes to the process of storing and sharing personal information. Professor King emphasised that personal information is to be seen as precious goods and that the act requires organisations to exercise control over these precious goods.

What constitutes as personal information under the POPI act?

  • Identity or passport number
  • Date of birth and age
  • Phone numbers
  • Email address
  • Online messaging identities
  • Physical address
  • Gender, race and ethnic origin
  • Photos, voice recordings, video footage
  • Marital relationship and family relations
  • Criminal record
  • Private correspondence
  • Religious or philosophical beliefs including personal and political opinions
  • Employment history and salary information
  • Financial information
  • Education information
  • Physical and mental health information including medical history
  • Membership of organisations

The impact of technology on protecting personal information

Due to technology convergence, there is an increased opportunity for attacks. King pointed out that everyone with a cellphone, iPad and laptop are aiders and abettors to cybercriminals. Every device offers a hacker an opportunity to get into personal information. Social media sites like Facebook and LinkedIn also serve as a bank of personal information, which, in criminal hands, can cause serious harm to both individuals and organisations. Every person has a duty to protect him or herself, and the POPI Act cannot protect one if one doesn’t care to protect oneself.

Who does the act apply to?

The act also applies to other than a natural person; it, therefore, includes companies or any other legally recognised organisation. All organisations are seen as data subjects and are afforded the same right of protection.

POPI as a universal application

Professor King states that most countries have a POPI Act and South Africa’s POPI Act is based on UK legislation. Ignorance of the law is no excuse and companies need to update IT systems and start training and educating staff, since early action is essential.

General Data Protection Regulation (GDPR)

King stated that, because the EU is South Africa’s largest trading partner, we cannot ignore the general provisions with regards to personal information laid out in the General Data Protection Regulation. The GDPR is designed to protect the information of individuals within the EU, it protects the export of personal data outside the EU. The objective is to give back control to citizens and residents over their personal data.

Application of the GDPR

The GDPR applies to data controllers, data processors or the data subject being the individual. It applies extra-terriotorially and to any information relating to an individual.

Accountability in terms of the GDPR

The data subject has the right to question information made available purely on an algorithmic basis, as well as the right to an explanation. Furthermore, measures are needed to include pseudonymising personal data by a controller. King states that the definition of “adequate” pseudonymising is a question of fact in each case. In the case of encrypted information, the decryption must be kept separate, since, as King states, what’s been encrypted can always be decrypted.

Public authority and the GDPR

King emphasises the need for any public authority has to have a data protection officer and has to be proficient at managing its IT processes, stating that governance and company requirements must be met when appointing the Data Protection Officer.

Pseudonymisation and the GDPR

Pseudonymisation is the process that transforms personal data so that it cannot be attributed to a specific person. This is recommended in the GDPR.

Sanctions in terms of the GDPR

King explained that any breach of the GDPR carries heavy fines and can result in the Supervisory Authority ordering regular periodic data protection audits.

Management responsibility

It is the responsibility of management to ensure that all structures, processes, and mechanisms are in place and to execute the IT framework.

Questions that need to be asked in terms of IT structures are:

  • Is IT on track to achieve its objective?
  • Is it resilient enough to adapt to the strategy?
  • Is it adequately protected from the risks it faces?
  • Can opportunities be proactively recognised and acted upon?

Role of the Chief Information Officer

The Chief Information Officer is responsible for the management of IT if an organisation doesn’t have a CIO, King suggests that the service provider fills said role. The CIO needs to understand the long-term strategy of the business and align it with efficient and effective IT solutions, as well as strategically integrate IT into the business strategy. The CIO also has to act as a Data Protection Officer.

Information management

The risks associated with information and information systems need to be managed. King recommends establishing a business continuity programme to ensure the continuous monitoring of all aspects of information; this ensures data quality and security.

The importance of having an Information Security Management System (ISMS)

It is recommended that organisations develop an ISMS. The board needs to oversee the ISMS and management has to implement it. According to King, the ISMS should:

  • Ensure the confidentiality of information
  • Ensure the integrity and security of information
  • Ensure the availability of information and information systems in a timely manner


King, M. (2017). POPI and General Data Protection Regulation. In: POPI – Protection of Personal Information. Johannesburg, pp.2-22.