• Protection of Personal Information Compliance

Protection of Personal Information Compliance

What is POPIA?

Protection of Personal Information Act, 2013 (POPIA) is our overarching piece privacy legislation. Some of the most important provisions:

  • The 8 conditions
  • Notification and investigation
  • Direct marketing
  • Trans-border flows
  • Enforcement

The EU’s General Data Protection Regulation (“GDPR”): POPIA goes a long way to assisting companies operating in the EU to comply.

How do you achieve compliance?

STEP 1: Assign an information officer (IO)

The IO is the point person: responsible for ensuring compliance with both POPIA and PAIA. Will be tasked with addressing some of these questions:

  • Who is in charge of data protection and security compliance in the company;
  • What does the company do to keep data secure;
  • Have all data subjects received notices and granted consent where required;
  • Have appropriate notices been given to the Information Regulator where required;
  • Does the company receive or send data on persons in SA or in other jurisdictions across borders;
  • Do the company’s marketing activities comply with applicable laws;
  • Do you have products, processes and standard terms that ensure compliance?

BDO can help:

  • Identify IO
  • Train IO
  • Support IO

STEP 2: Identify protected data fields

To achieve this, you will need to establish a data asset register with:

  • Data
    • records
    • sensitive, protected fields
  • Purpose
  • Permission
    • minors?
  • Archival
    • off-shore
    • purging
  • Third-parties
    • domestic,
    • foreign
  • Quality
    • metrics
    • curation

BDO can help:

  • Initial POPIA self-assessment questionnaire
  • Gap analysis
  • Data Asset Register
  • Automatic sensitive field discovery
  • Record which data is used
  • where?
  • for what?
  • by who?
  • from whom?
  • for how long?

STEP 3: Select best-practice security standards

  • POPIA regulations
    • yet to be published
  • EU General Data Protection Regulation
  • USA FIPS 200
    • NIST 800-53
    • NIST 809-171
  • ISO 27000
    • ISO 27002 controls
    • GAPP

BDO can help:

  • KnowRisk risk management
  • customised risk appetite
  • Risk/controls libraries
  • ISO 27002
  • NIST 800
  • Gap analysis and report

STEP 4: Conclude contracts with third parties

POPIA requires that third parties you deal with also be compliant.

You will need to:

  • Conclude / review contracts with suppliers and customers;
  • Update them where necessary to provide appropriate undertakings;
  • Ensure that you include favourable indemnities and liability limitations;
  • Verify whether suppliers actually have their own policies and procedures in place.

STEP 5: Establish policies, procedures, and controls

  • Policies
  • why, what
  • Procedures
  • how
  • Controls
  • mitigative - preventative
  • contingent - insurance
  • Training

BDO can help:

  • IT general controls review
  • Library of
  • Policies
  • Procedures
  • Controls
  • Audit - gap analysis
  • Remediation

Contact Us for a Quote