A clear perspective on the Protection of Personal Information (POPIA)
For many organisations, information is their most valuable asset – one that they need to collect, handle, and protect with care. Many are unclear as to how investing time and money in data privacy and POPIA compliance will benefit their organisation. Our approach to data privacy is to first understand our clients’ business, the purposes and uses of personal information, as well as how data is managed throughout the organisation. To comply with privacy regulations like Protection of Personal Information (POPIA), among other privacy requirements, companies need to invest in data protection strategies by defining their policies and determining the necessary controls to protect personal information. Here is a check list to determine your readiness
POPIA Compliance
South Africa’s Protection of Personal Information Act (POPIA) and its related regulations are far-reaching. With steep penalties for organisations that are not in compliance, ensure that your organisation is taking the proper precautions to protect your data. Alternatively contact one our professionals for a clear perspective.
Relevance & Responsibilities
- Identify relevant business processes, systems and data sets likely to contain personal information
- Determine whether your company processes personal information belonging to a ‘data subject’
- Determine your responsibilities as a ‘responsible party’ or data ‘operator’ – or, in some cases, both
- Identify third parties who have access to or process the personal information you obtain
Readiness
- Review your current data privacy and security policies against all relevant Authority Documents - not just POPIA - to identify synergies and gaps
- Conduct a data mapping exercise to identify, classify and inventory all data assets
- Review your contracts with relevant third parties to ensure you include POPIA-relevant language
- Review privacy notices to ensure transparency, fairness and accessibility
- Provide POPIA training to your staff
- Test your incident response capabilities to ensure notification takes place as soon as reasonably possible
Remediate
- Develop a detailed remediation roadmap to prioritise and ensure timely compliance
- Update policies and procedures or create new ones to address gaps
- Implement privacy principles and security controls in all systems and processes
- Review and update cross-border data transfer processes to conform with country-specific conditions
Prepare for Audit
- Develop and maintain a data register to record all processing activities
- Designate an Information Officer to serve as liaison to the relevant supervisory authorities
- Document all ongoing policies, procedures and controls needed to substantiate compliance with POPIA requirements
- Ask vendors to provide evidence they are taking steps to be POPIA compliant and conduct regular due diligence