BY Ridwaan Boda AND Wilmari Strachan
technology, media and telecommunications (TMT)
Five easy steps to POPI compliance
The enactment of the General Data Privacy Regulations (GDPR) in the EU last year and the imminent proclamation of the effective date of South Africa’s own data privacy legislation, the Protection of Personal Information Act, 2013 (“POPI”), has been the cause of disquiet for many organisations’ directors and compliance officers.
Stricter data privacy legislation demands that organisations implement strict data processing standards to ensure the privacy and security of personal information. Penalties for non-compliance are hefty, as is evident from the EUR50-million fine imposed on Google in January this year for non-compliance with data privacy legislation.
While ensuring compliance might seem overwhelming, it can in fact be achieved in five easy steps:
- Appoint or reassess the role of the information officer. In terms of the regulations under POPI, the duties imposed on the information officer have been extended and now include certain mandatory duties. The default information officer of a private body is its head, which is generally the CEO, unless it has been delegated. The first step to compliance would therefore be to appoint an information officer if the organisation does not already have one, or to reassess the role of the existing information officer in line with the requirements set out in POPI.
- Create awareness. In order to ensure effective compliance, buy-in from senior management all the way down the chain of command is needed. Make sure employees understand what data privacy legislation entails and what is required of them. This can be achieved through interactive awareness training.
- Personal information impact assessment. Once all employees are informed, self-assessments and audits should start throughout the organisation, within each business unit. It is important to understand what information is collected, how it is collected, by whom it is collected, what it is used for, how it is stored and processed, how it is retained and destroyed and whether it was collected with the necessary consent. Once self-audits are completed, there should be a clear understanding of how data is being processed in the organisation, and it will be in a position to identify gaps and produce a clear gap analysis and risk assessment report.
- Develop a compliance framework, which can include processes and policies. A proper gap analysis will help identify which processes and policies have to be put in place. These may include:
- updates to employment contracts
- updates to supplier agreements
- changes to marketing practices (opt-in and opt-out best practice)
- implementation of policies like: personal information sharing policy, security compromises policy, subject access request policy, CCTV camera policy, bring your own device policy, Promotion of Access to Information Act, 2000 ("PAIA") manual, to mention a few.
- Implementation. The compliance framework should be implemented, monitored and maintained. Policies and procedures do nothing to aid compliance if they not properly implemented. The last step to compliance would be to ensure the proper implementation of new policies and procedures through in depth training, awareness campaigns, annual re-training and compliance audits.
How ENSafrica’s POPI Toolkit can help achieve compliance
ENSafrica, in conjunction with a leading data privacy expert, has designed a POPI Toolkit based on international and local South African legal requirements and global best practice.
The POPI Toolkit is a comprehensive compliance programme, and is a quick and cost effective way for organisations to fast track POPI compliance and effectively manage risk.
The toolkit comprises:
- half-day POPI training workshop
- simplified POPI guide
- POPI audit questionnaire (which can easily be used by business units to effectively conduct self-audits)
- a copy of POPI and a copy of PAIA
- a dos and don’ts list
- data protection policy
- personal information sharing policy
- security compromises policy
- subject access request policy
- CCTV camera policy
- bring your own device policy
- model consent clause
- model operator clauses
- record retention policy
- password policy
- information officer appointment letter