The new Protection of Personal Information Act is an excellent piece of legislation when considered from a consumer point of view; and since we are all consumers, it is easy to miss the big picture ramifications for small businesses.
The issue arises because high level laws are created to be followed by large organisations, but their typical response is to mandate their compliance requirements directly onto their suppliers, who are usually small businesses. So irrespective of the intention of the legislative with respect to SMEs, it is lost through the application of the legislation by the large corporates; particularly in the case where it doesn't stipulate how the rules need to be followed.
To oversimplify it, it's as if the legislature has said businesses have to provide their clients with coffee. Large organisations, unsure what parameters to follow in order to meet the law, have gone all out, sparing no expense - buying fancy coffee machines, using imported beans, bottled spring water, full cream milk and brown sugar cubes to be served silver service.
Here is where it gets complicated. There is a single item under the security section of the Act that says the responsible party (the big business) must ensure that the operator (vendor) maintain the security rules established by the responsible party; the equivalent of saying they too need to make the client coffee.
Because the legislation hasn’t clearly defined how this coffee should be made, big businesses are going to their vendors and telling them that they can't just provide their clients with instant coffee, low fat milk and grains of sugar; they have to provide the exact same coffee in the exact same way as the large corporate. And if they won't sign the contracts that agree to do so, they will be removed from the vendor list.
The small businesses can't necessarily afford to invest to the same level as large businesses in big coffee machines, imported coffee and bottled water, but at the same time they can't afford to lose the big corporate business either. And if the multiple businesses that use the small business as a vendor all have different ways of making different brands of coffee, the small business would essentially turn into a coffee shop.
So what is the answer? There needs to be clarity on what exactly compliance looks like, with clear guidelines, taking into account all levels of business that this Act will affect. There also needs to be clear rules as to what the operators can be expected to provide. Until then, large corporations will be able to affect the course of SME development by forcing their vendors to comply with whatever they consider to be reasonable.
*As published in Accountancy South Africa magazine in November 2014