A clear perspective on the Protection of Personal Information (POPIA)
For many organisations, information is their most valuable asset – one that they need to collect, handle and protect with care. Many are unclear as to how investing time and money in data privacy and POPIA compliance will benefit their organisation. Our approach to data privacy is to first understand our clients’ business, the purposes and uses of personal information, as well as how data is managed throughout the organisation.
To comply with privacy regulations like the Protection of Personal Information Act (POPIA), among other privacy requirements, companies need to invest in data protection strategies by defining their policies and determining the necessary controls required to protect personal information.
Here is a check list to determine your readiness:
1) POPIA compliance
South Africa’s Protection of Personal Information Act (POPIA) and its related regulations are far reaching. With steep penalties for organisations that are not in compliance, you are advised to ensure that your organisation is taking the proper precautions to protect your data. One our professionals can offer you a clear perspective.
2) Relevance and responsibilities
It is best practice to:
- Identify relevant business processes, systems and data sets likely to contain personal information
- Determine whether your company processes personal information belonging to a ‘data subject’
- Determine your responsibilities as a ‘responsible party’ or data ‘operator’ – or, in some cases, both
- Identify third parties who have access to or process the personal information you obtain.
3) Readiness
The next steps are to:
- Review your current data privacy and security policies against all relevant Authority Documents - not just POPIA - to identify synergies and gaps
- Conduct a data mapping exercise to identify, classify and inventory all data assets
- Review your contracts with relevant third parties to ensure you include POPIA-relevant language
- Review privacy notices to ensure transparency, fairness and accessibility
- Provide POPIA training to your staff
- Test your incident response capabilities to ensure notification takes place as soon as reasonably possible.
4) Remediation
Further steps include:
- Develop a detailed remediation roadmap to prioritise and ensure timely compliance
- Update policies and procedures or create new ones to address gaps
- Implement privacy principles and security controls in all systems and processes
- Review and update cross-border data transfer processes to conform with country-specific conditions.
5) Preparation for audit
The final stages are to:
- Develop and maintain a data register to record all processing activities
- Designate an Information Officer to serve as liaison to the relevant supervisory authorities
- Document all ongoing policies, procedures and controls needed to substantiate compliance with POPIA requirements
- Ask vendors to provide evidence they are taking steps to be POPIA compliant and conduct regular due diligence.