Overview of POPIA Compliance
The Protection of Personal Information Act No 4 of 2013 (“POPIA”) is principle based legislation. Accordingly, there is no one right way of ensuring compliance with the eight conditions in POPIA and other relevant provisions however an overview of suggested steps include:
- Register your Information Officer with the Information Regulator
- Communicate details of the Information Officer to your organisation
- Information Officer to understand his or her duties under POPIA & Regulations
At a minimum reading POPIA and Regulations, understand key definitions, eight conditions and other key provisions addressing Special Information, Transborder Information Flows, Prior Authorisation, Direct Marketing by means of Unsolicited Electronic Communications & Automated Decision Making. The Information Officer ideally should receive support & should be at management level within the organisation).
- Mapping out of Personal Information
Manner of understanding the processing of personal information of an organisation as against its operations may differ and include different tools and technologies however in simple terms:
- Categorise your data subjects (the person to whom personal information relates) for example – customers/clients/patients; employees, shareholders, board members etc.
- In respect of each data subject record the purpose of collection and ongoing processing of personal information. Understanding the purpose is key.
- Determine & document supplier relationships.
- Document the type of personal information you have on hand in respect of each category of data subject (for ex. dentity number, physical address, email address).
- Document if the purpose of the processing and record of personal information arises in compliance with another law such as the Companies Act or Basic Conditions of Employment Act or if it arises by virtue of a contract.
- Flag any special information processed (see section 26- 33 of POPIA).
- Address if record of personal information is a physical or electronic copy.
- Identify security measures applied to storage method and access levels within organisation.
- As against the mapped personal information:
- Consider eight conditions in POPIA;
- Consider other relevant provisions in POPIA such as provisions pertaining to:
- Special Information;
- Prior Authorisation;
- Rights of Data Subjects regarding Direct Marketing by means of Unsolicited Electronic Communications;
- Directories and Automated Decision Making;
- Transborder Information Flow;
- List action items in compliance framework, determine any risks and concerns and implement action items to remedy. Continually revisit framework and utilise as a basis from which to address POPIA compliance going forward;
- Action items may include depending on current level of compliance – implementing security safeguards, reviewing application forms, client onboarding processes, review supplier agreements, implementing retention policies, data privacy policies, staff awareness training & PAIA Manual;
- Ongoing Personal Information Impact Assessments will be required (purpose – adequate standards and measures exist to comply with conditions for lawful processing).
Article by Lisa Boogaard
19 Sep 2021