POPI countdown: Is your business ready and compliant?

Striata’s Stergios Saltas shares everything organisations need to know to be POPI compliant.

The clock is rapidly running out on South Africa’s Protection of Personal Information Act (POPI) grace period. After the Act came into effect on 1 July 2020, organisations were given a year to get their houses in order, or risk facing fines and other sanctions.

Or course, every organisation should ideally have everything in place by now. But as we saw with the European Union’s General Data Protection Regulation (GDPR), a long lead-up time doesn’t guarantee compliance. And even if you think your organisation has done everything it needs to in order to be POPI compliant, it’s worth making absolutely certain.

The importance of POPI
In order to understand where you need to be in terms of POPI compliance, however, it’s important to remember what the legislation is trying to achieve.

At its heart, POPI is designed to protect people’s personal information and data. Additionally, it requires organisations to only collect information they need for a specific purpose, to apply reasonable security measures to protect the data under their care, to ensure it is relevant and up to date, to only hold the information they need, for only as long as they need it, and to allow the person who it relates to, to see it if required.

The legislation also requires organisations to appoint an information officer, establish processes and set up systems (if they do not have them) to ensure that data is constantly secured, new data is appropriately handled, and expired data is destroyed.

Claim the quick wins
As much as you might feel that you’ve met those requirements, there are actions you can (and should) take to be absolutely sure.

Ideally, you should start with actions that can result in quick wins. These can include:

Understand the scope – document the categories of data subjects within your company and describe the personal information that is processed for each.

Assign data privacy responsibility – appoint an information officer and a data privacy team who will be responsible for reaching and maintaining POPI compliance. Be sure to include representatives from each data subject category (HR, sales and marketing) and from functional areas, such as technology, operations and information security.

Draft a privacy policy – fortunately, you don’t have to start from scratch, as there are many templates available online. It also helps to look at the privacy policies of other companies in your space.

Raise employee awareness – draft a series of communications to employees about the intention of the Act, what is required from the company and what is expected of each employee. Enlightened employees are an important factor in keeping information secure.

Ongoing compliance
As important as immediate POPI compliance is, however, it’s equally vital that your organisation takes actions that will ensure ongoing compliance.

These include:

1. Starting point – using the categories of data subjects you defined above, map the flow of personal information into, through and out of your business, including external parties that have access to that information.

2. Perform a gap analysis – identify the areas of data flow in your business that do not conform to the requirements of the Act. This requires a team that has familiarised itself with the data privacy obligations.

3. Audit your vendor contracts – if you use vendors and personal data is transferred from your business to theirs to perform a function, the agreement between the parties needs to place adequate obligations on both parties regarding the protection of that information.

4. Operators, audit your client contracts – although POPI places the responsibility for data protection on the responsible party, best practice and logic dictate that the agreement between a responsible party and an operator must deal with each party’s obligations when it comes to data protection.

5. Plan for worst-case – draw up a response plan in the event that your company does experience a data breach. The plan must detail who is responsible for investigating the incident, as well as who is responsible for communicating with the affected parties.

Beyond the legalities
No matter how much bite POPI ends up having, organisations should view it as the least they can do. By ensuring they have the right data protection mechanisms in place, organisations not only position themselves to better defend against data breaches but to react to them more efficiently. This will help entrench customer trust and reduce the impact of a breach if and when it happens.

Finally, it’s important to note that POPI compliance should go beyond the organisation itself. Organisations should also have digital communication and other service providers in place who are themselves compliant and understand the complexities of POPI.