Walking the data protection-remote work tightrope

Kevin Phillips considers the impact of remote working on South Africa’s now fully implemented Protection of Personal Information (POPI) Act. Has legal lag made it unworkable in the modern, distributed workplace?


The “legal lag” phenomenon is not new. Laws have long struggled to keep up with rapidly advancing technology, but this gap is widening in the 21st century. The fourth industrial revolution and the incredible advances in digital technology and technology-enabled business models are driving an even more pronounced disconnect between our laws and our reality.


Consider the global debates over regulating Uber and other ride-hail taxi services; Airbnb and similar services disrupting the travel and tourism industry; and governments scrambling to regulate cryptocurrencies. Locally, the South African Broadcasting Service (SABC) has recently tied itself up in knots over trying to extend TV licence fees to local and international video-on-demand services (including attempting to make these services providers, and smart device sellers, responsible for collecting the licence fees).


Indeed, the gap has not only widened between traditional laws and the digital world, but is also, I’d argue, evident in new laws designed to tackle our digital reality. By the time the new legislation is implemented, the environment has moved on so much that the law is out of date already. Take the Protection of Personal Information (POPI) Act and the distributed workforce.


Remote working had already been an emerging trend around the world but then along came the pandemic, which accelerated the shift. This was only possible thanks to cloud-based collaboration and communication technology. It now looks like a version of remote working is here to stay, with employees unwilling to give up the flexibility they’ve got used to during the pandemic and many companies settling on a variation of hybrid working. Certainly, at the time of writing this, the South African government was urging businesses to allow people to work from home unless it was entirely unfeasible.


At the same time, as you’ll no doubt be more than aware based on the number of emails you’ve already received about this from newsletters you barely remember signing up to, the POPI Act went into full force on 1 July 2021. Given the first draft of the legislation was introduced back in 2009 (this is the same year the Apple iPhone launched in South Africa!) much has changed while the act was being passed. And inevitably companies are starting to run into a protection of personal information vs productivity disconnect, greatly exacerbated by the changing face of the workforce.


The POPI Act tends to think about the storage and transport of data in terms of a centralised office location. This is also a feature of other protection of personal information legislation such as the EU’s General Data Protection Regulation (GDPR). Back when the POPI Act was being drafted, physically and virtually organisations were easy to define and protect. The boundary between an organisation and the outside world was obvious, with cameras and biometrics monitoring physical entrances, exits and behaviour on site. Data protection officers could make sure hard copies of documents were safely stored, accessed only by relevant people, and disposed of securely. Virtually, an organisation's digital footprint was also easy to see and protect. For the most part, employees were accessing company assets from the corporate network and their activity could be monitored and controlled to protect the access, movement and storage of valuable personal identification data.


The remote working/data protection divide

This has all been flipped with the shift to working from home. And while we've had 18 months to adapt, harden temporary measures and fill any gaps in data protection and other security measures, practically a disconnect remains.


For instance, it is unviable to expect the same physical security measures in place at people's homes. Can you imagine demanding employees add security cameras and biometric scanners to their home office or work area? This feels like an overreach and a violation of their and their family or housemates’ privacy. Similarly, even if the company provides a safe or lockable cabinet for employees to store hard copies of personal identification data, and shredders to destroy them when required, there is less oversight and control over whether the employee complies with these requirements.


Sure, a fully paperless work environment is a solution. But how many of us habitually make quick scribbles on sticky notes – which could include personal identification information?


Remote work in the virtual space is also a challenge for data protection officers. More devices connected remotely to corporate networks and cloud services mean more opportunities for cybercriminals to attack. As our personal and professional lives increasingly merge, so too do our devices, with personal devices used to check email or messages, professional devices used for entertainment, and devices shared amongst household members.


The reality is that a remote workforce, for all its benefits, also has very real limitations when it comes to compliance with the POPI Act. Without physical proximity, and the ability for data protection officers to check whether employees are following regulations, or for employees to lean over and confirm that their manager did indeed ask them to click on a link to make an urgent payment, this divide threatens organisations’ abilities to safeguard essential personal identification data.


Productivity and speed in a post-pandemic world

What’s more, we are all expected to work with more flexibility and agility to drive innovation and customer service in our organisations to help spur on the post-pandemic recovery. How does this speed and flexibility – powered by digital transformation – square with onerous, impractical data protection compliance requirements that were designed in and for another working world?


Of course, the protection of personal information is vital and will become increasingly important as more of our lives shift online. Remote working and the emerging hybrid model of working is both positive and unavoidable. So, genuine question, is it even possible to comply with legislation designed for a central workplace in today’s decentralised working world? Do we need to reflect on the current protection of personal information legislation to make it more appropriate for today’s decentralised business environment?


As published Accountancy SA - November 2021