After what seemed like an interminably long wait, South Africa’s Protection of Personal Information Act (POPI) came into effect in July 2020. On 1 July this year, its year-long grace period comes to an end, meaning that organisations in breach of the act should start facing sanctions within the next few months, says Stergios Saltas, Operations Director, Striata.
While it remains to be seen how vociferously POPI will be enforced, it’s better to be prepared than not. Organisations have had a long time to become POPI compliant, so there really should be no excuse not to be. But, as we saw with the European Union’s General Data Protection Regulation (GDPR), that there is a long lead-up is no guarantee of compliance.
With that in mind, it’s worth taking a look at what organisations should have in place before the end of the grace period.
Before doing so, it’s important to remember that POPI is designed to protect people’s personal information and data. Amongst other things, this requires organisations to only collect information they need for a specific purpose, to apply reasonable security measures to protect the data under their care, to ensure it is relevant and up to date, to only hold the information they need, for only as long as they need it, and to allow the person who it relates to, to see it if required.
Additionally, companies are required to appoint an information officer, establish processes and set up systems (if they do not have them) to ensure that data is constantly secured, new data is appropriately handled, and expired data is destroyed.
Identifying quick wins
Even if your organisation feels like it’s operating in line with those requirements, it’s worth looking at what actions you can take to be absolutely sure.
A good place to start is with actions that can result in quick wins, such as:
Understand the scope – document the categories of data subjects within your company and describe the personal information that is processed for each.
Assign data privacy responsibility – appoint an information officer and a data privacy team who will be responsible for reaching and maintaining POPI compliance. Be sure to include representatives from each data subject category (HR, sales and marketing) and from functional areas, such as technology, operations and information security.
Raise employee awareness – draft a series of communications to employees about the intention of the Act, what is required from the company and what is expected of each employee. Enlightened employees are an important factor in keeping information secure.
Preparing for long-term compliance
While taking these actions can go a long way to preparing organisations for POPI compliance, there are longer-term actions that are also important.
1. Starting point – using the categories of data subjects you defined above, map the flow of personal information into, through and out of your business, including external parties that have access to that information.
2. Perform a gap analysis – identify the areas of data flow in your business that do not conform to the requirements of the Act. This requires a team that has familiarized themselves with the data privacy obligations.
3. Audit your vendor contracts – if you use vendors and personal data is transferred from your business to theirs to perform a function, the agreement between the parties needs to place adequate obligations on both parties regarding the protection of that information.
4. Operators, audit your client contracts – although POPI places the responsibility for data protection on the responsible party, best practice and logic dictates that the agreement between a responsible party and an operator must deal with each party’s obligations when it comes to data protection.
5. Plan for worst-case – draw up a response plan in the event that your company does experience a data breach. The plan must detail who is responsible for investigating the incident, as well as who is responsible for communicating with the affected parties.
Beyond legal compliance
By taking the above steps, organisations should go a long way to ensuring that they don’t fall foul of the regulator once the grace period ends on 1 July. It should be noted, however, that it isn’t a “once-and-done” procedure. Ensuring POPI compliance should be an ongoing exercise for every organisation.
It’s also important to remember that data protection isn’t just about legal compliance. By ensuring that it has the right data protection mechanisms in place, an organisation not only positions itself to better defend against data breaches but to react to them more efficiently. Having digital communication and other service providers in place who are themselves compliant and understand the complexities of POPI can save an organisation a lot of time and effort.